LPS:Shib plus WA
Z HelpDesk
- http://shibboleth.internet2.edu
- http://webauth.stanford.edu/protocol.html (popis WebAuth protokolu)
TODO
- napsat rusovi podrobne informace o chybe a jejich pricinach se zadosti o radu co s tim [indy]
- vyzjistit jak funguje webauthi reautentizace [bodik,p@ja]
- asi potrebujeme idp auth external nebo coze
Data
(note that we don't have latest IDP version in production, line numbers taken from sources may differ)
our IDP configuration webapps/idp/conf/handler.xml
... <LoginHandler xsi:type="RemoteUser"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod> </LoginHandler> <LoginHandler xsi:type="PreviousSession"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthenticationMethod> </LoginHandler> ...
error message showed during working with our TCS application (requesting a new certificate)
07:44:27.748 - INFO [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:440] - Force authentication requested but no login handlers available to support it 07:44:27.748 - INFO [Shibboleth-Access:72] - 20110525T054427Z|89.103.43.107|shib.zcu.cz:443|/profile/SAML2/Redirect/SSO| 07:44:27.756 - WARN [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder:88] - Relay state exceeds 80 bytes, some application may not support this.
so we think, than when our application is requesting forced authentication, shibboleth determines a set of available authentication methods in
REL_2/java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java protected void filterByForceAuthentication(Session idpSession, LoginContext loginContext, ... loginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX); LoginHandler loginHandler; for (AuthenticationMethodInformation activeMethod : activeMethods) { loginHandler = loginHandlers.get(activeMethod.getAuthenticationMethod()); if (loginHandler != null && !loginHandler.supportsForceAuthentication()) { for (String handlerSupportedMethods : loginHandler.getSupportedAuthenticationMethods()) { LOG.debug("Removing LoginHandler {}, it does not support forced re-authentication", loginHandler.getClass().getName()); loginHandlers.remove(handlerSupportedMethods); } } } ... if (loginHandlers.isEmpty()) { LOG.info("Force authentication requested but no login handlers available to support it"); throw new ForceAuthenticationException(); } }
we end up with empty loginHandlers because we'r using:
REL_2/java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java public class RemoteUserLoginHandler extends AbstractLoginHandler { } which inherits supportsForceAuthentication from: REL_2/java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/AbstractLoginHandler.java public abstract class AbstractLoginHandler implements LoginHandler { ... /** Constructor. */ protected AbstractLoginHandler(){ supportedAuthenticationMethods = new LazyList<String>(); supportsForceAuthentication = false; supportsPassive = false; } ... }
we thinks that we might need to program new LoginHandler based on
edu.internet2.middleware.shibboleth.idp.authn.provider.ExternalAuthnSystemLoginHandler
in which we'll employ WebAuth reauthentication protocol features ?