IDP3/4 -> read (&write) custom session cookie for authentication

Käfer Thomas thomas.kaefer at
Wed Apr 22 02:44:12 EDT 2020

Hello everyone!

I'd like to ask you for pointers how to best (easiest) port my Shibboleth idp2 custom session cookie (set and read on our superdomain by some legacy applications) to the very much different idp3/4 implementations.

On idp2 all I did was put a Apache Axis WSDL2Java WebserviceClient on the classpath and used that in those two modified methods:

edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler:login(..) &

In the first one I checked if the cookie is present in the httpRequest and that it represented a valid session, and if so set PRINCIPAL_NAME_KEY to the sessions username, called AuthenticationEngine.returnToAuthenticationEngine(..) and prevented the default code to run by returning to the caller right away.

In the second one I read username and password from the request and validated those with my WebserviceClient (and if successful did the PRINCIPAL_NAME_KEY setting and returnToAuthenticationEngine(..) here).


Now on IDP3/4 this seems to be a completely different ball game.

I did implement our authentication with the IDP3 password flow and a JAAS back-end, but in there I have no way to access our custom session cookies or set it after a successful username+password login.

I thought maybe I could use ExternalAuthenticationImpl and guessed that maybe the doStart(..) method will give me the first httpRequest before the user is displayed the login mask, and the doFinish(..) for the username+password validation but it's quite unclear to me if that's correct and how to implement that.

Thanks anyone reading this far and I'd love to read some ideas!

Kind Regards,
Thomas Käfer

Informationen zum Datenschutz:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list