AW: IDP3/4 -> read (&write) custom session cookie for authentication

Thu Jun 25 16:20:58 UTC 2020

Hello Scott!

> I added a mention of the proper way to handle cookies into the documentation, and that does not rely on doing it by hand.

Thank you! That helped me a lot!

So I now got this:
@Autowired
@Qualifier("shibboleth.CookieManager")
CookieManager cm;

which allowed me to read the cookie, but I also need the User-Agent and the RemoteAddress (to allow the legacy Auth Service to verify that the Cookie hasn't been transfered).
I could have gotten that from the HttpServletRequest, but I can't get from this CookieManager.

Can you give me some pointers how to get that too?

Thank you heaps!
Kind regards
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 14:30
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Dear Scott,

sorry for the long pause.

I've now written a Class like this:

public class AuthFunction implements Function<ProfileRequestContext<AuthnRequest, String>, Object> {
@Override
public Object apply(ProfileRequestContext<AuthnRequest, String> arg0) {...}
}

And made my Shibboleth IDP4 use it by having this line in the config file:
<bean id="shibboleth.authn.Function.ResultLookupStrategy" class="at.ac.fhcampuswien.campusauth.AuthFunction" />
in the file /opt/shibboleth-idp/conf/authn/function-authn-config.xml

And the line
idp.authn.flows= Function
in the file /opt/shibboleth-idp/conf/idp.properties

By returning a hard coded username in that "apply" method, I managed to get successful authentication.

The problem I have not yet solved is accessing the HttpRequest for getting & HttpResponse for setting my custom authentication cookie (for Single-Sign-On compatibility with some legacy applications that don't use shibboleth for authentification)

You said in a previous mail that I need to use injection for that. I tried:
@Autowired
org.opensaml.messaging.context.httpclient.HttpClientRequestContext h;

Which gives me this exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.opensaml.messaging.context.httpclient.HttpClientRequestContext' available

I also tried
@Autowired
javax.servlet.http.HttpServletRequest h;

Which gives the similar exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'javax.servlet.http.HttpServletRequest' available

Could you please give some more details on how to inject the HttpRequest so I can access the cookie I need?

Thank you
kind regards
Thomas Käfer

________________________________
Von: users <users-bounces at shibboleth.net> im Auftrag von Cantor, Scott <cantor.2 at osu.edu>
Gesendet: Dienstag, 28. April 2020 16:49
An: Shib Users <users at shibboleth.net>
Betreff: Re: IDP3/4 -> read (&write) custom session cookie for authentication

On 4/28/20, 9:21 AM, "users on behalf of Käfer Thomas" <users-bounces at shibboleth.net on behalf of thomas.kaefer at fh-campuswien.ac.at> wrote:

> Do you maybe have a pre-existing example of any (similar) login flow usage that I could infer how to do this from (I'd
> prefer Java to Javascript-let)..

That's just too broad a question for me to answer, all there is the source code and the documentation on writing a custom login flow [1] combined with the little bit of higher level documentation. But a function to do this is far different then a real flow. There's nothing you're intended to rely on in the IdP for the most part other than some low level objects like the servlet API, it's just supposed to do its work and return the result.

The rest is a matter of Java and Spring and whatever you're actually trying to build it to do. If you're doing REST, then you should use the HttpClient work we have, and we have documentation on wiring that up.

> Also even if I understand the concept of bean injection, I sadly have no idea of how to do this in the Shibboleth context,
> and again I couldn't find any examples using Google.

Shibboleth has nothing to do with that part, this is a Spring-based implementation, it's the Spring documentation you have to read to understand how to relate objects together. We supply or standardize the objects, it's Spring configuration that puts them together. We have documentation on that and pointers to the parts of the Spring documentation that are required reading.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP4/Authentication

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Informationen zum Datenschutz: www.fh-campuswien.ac.at/datenschutzerklaerung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200625/91ea6bd6/attachment.htm>