[Shib-Users] Workflow in shibboleth
Michael Frers
Hello
Small question to the workflow in shibboleth.
Here are two scenario need, but we are not sure if it is possible.
A:
New User (not authenticated anywhere with shibboleth) starts our application.
Our application makes a redirect to shibboleth.
Shibboleth looks if the user is authenticated already (in this case not)
NOW redirect back to our application and our application works anonymous.
(there the user can click on Login and normal authentication process against shibboleth starts)
B:
New User (ALREADY authenticated somewhere with shibboleth) starts our application
Our application makes a redirect to shibboleth.
Shibboleth looks if the user is authenticated already (the user is now)
NOW redirect back to our application with the user credentials.
And now the user works authenticated in or application.
Someone a quick answer if this is possible?
Thx
--
Michael Frers
Lukas Haemmerle
Provided SP and IdP both support SAML2, I would say this generally is
possible using the SAML2 isPassive feature.
I couldn't find a page that explains how this works in detail but there
are pages that say how to use isPassive:
https://spaces.internet2.edu/display/SHIB2/NativeSPContentSettings
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters
There was a discussion regarding isPassive last March, maybe this helps
you a bit further:
https://mail.internet2.edu/wws/arc/shibboleth-users/2008-03/msg00243.html
If I remember correctly, your application should send unflagged users to
/Shibboleth.sso/DS?isPassive=true&target=#URL to send users to if they
are authenticated# and define in shibboleth2.xml a custom redirectError
page where unauthenticated users will be redirected to. This page then
has to set a cookie or otherwise flag the user and send him back to the
public part of the web page or the first web page that initially sent
the user to /Shibboleth.sso/DS.
I hope this helps for a starter. I intend to have a look at this anyway
sometime this week. Maybe I can give you better instructions then :)
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch
Scott Cantor
> possible using the SAML2 isPassive feature.
Yes, that's the only way to do it as the problem was stated.
> If I remember correctly, your application should send unflagged users to
> /Shibboleth.sso/DS?isPassive=true&target=#URL to send users to if they
> are authenticated# and define in shibboleth2.xml a custom redirectError
> page where unauthenticated users will be redirected to.
Mostly, but as a general rule I would stick with /Login as the primary
handler to use for making requests. My goal was that everybody would use
that convention so that you can generally count on every SP out there
accepting that. I had to use separate locations for the other examples in
the file, but when I use them I usually just change the locations. Maybe
I'll start commenting the others out, or just put them in the wiki, I don't
know.
But basically, yes. You keep the session option off/lazy, pass control to
the initiator with isPassive=1, and then catch the error with a redirect.
For the Login button, you send them to the same initiator but without
isPassive set.
-- Scott