AW: IDP3/4 -> read (&write) custom session cookie for authentication

Käfer Thomas thomas.kaefer at
Sat Apr 25 05:04:41 EDT 2020

Hello Scott,

thank you for your reply!

> You would have to be much more explicit about the purpose behind this.

The purpose:

If a user has logged in to one of our legacy apps (that don't use the Shibboleth IDP >=3 server for authentication) they will have a custom (non-Shibboleth) Session Cookie on our root domain.

I would like to implement an authentication flow (or method) for Shibboleth IDP >=3 that checks if that (non-Shibboleth) Session Cookie is valid (against a custom Auth-Web-Service) and if it is skip asking the user for username+password.

I do not want to mess with the Shibboleth sessions, it should be a custom authentication method which uses a non-shibboleth-session-cokie as credential instead of the username+password if present and valid.
Von: Käfer Thomas <thomas.kaefer at>
Gesendet: Mittwoch, 22. April 2020 08:44
An: Shib Users <users at>
Betreff: IDP3/4 -> read (&write) custom session cookie for authentication

Hello everyone!

I'd like to ask you for pointers how to best (easiest) port my Shibboleth idp2 custom session cookie (set and read on our superdomain by some legacy applications) to the very much different idp3/4 implementations.

On idp2 all I did was put a Apache Axis WSDL2Java WebserviceClient on the classpath and used that in those two modified methods:

edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler:login(..) &

In the first one I checked if the cookie is present in the httpRequest and that it represented a valid session, and if so set PRINCIPAL_NAME_KEY to the sessions username, called AuthenticationEngine.returnToAuthenticationEngine(..) and prevented the default code to run by returning to the caller right away.

In the second one I read username and password from the request and validated those with my WebserviceClient (and if successful did the PRINCIPAL_NAME_KEY setting and returnToAuthenticationEngine(..) here).


Now on IDP3/4 this seems to be a completely different ball game.

I did implement our authentication with the IDP3 password flow and a JAAS back-end, but in there I have no way to access our custom session cookies or set it after a successful username+password login.

I thought maybe I could use ExternalAuthenticationImpl and guessed that maybe the doStart(..) method will give me the first httpRequest before the user is displayed the login mask, and the doFinish(..) for the username+password validation but it's quite unclear to me if that's correct and how to implement that.

Thanks anyone reading this far and I'd love to read some ideas!

Kind Regards,
Thomas Käfer

Informationen zum Datenschutz:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list