Multiple login handler using an ExtLoginHandler

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Multiple login handler using an ExtLoginHandler

mariasol
Hi All,

We need to have multiple login handler working together (PreviousSession, UsernamePassword and a custom one), we need that if there's not previews session, validates with our custom login handler and if this fails too goes to UsernamePassword handler).
Is there any way to do this with shibboleth?

What we did to support this is:

configure the default auth method in the relying party to use the custom one:

   <rp:RelyingParty id="https://sp-examplecom/shibboleth"
                  provider="https://idp.com/idp/shibboleth"
                  defaultSigningCredentialRef="IdPCredential"
                  nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                 defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:mylogin">
       <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                             encryptNameIds="never"
                             encryptAssertions="never"/>
    </rp:RelyingParty>

I'm not sure if we can use urn:oasis:names:tc:SAML:2.0:ac:classes:mylogin name but it works.

In the custom login handler implementation we add some logic, if the authentication fails it redirects to
/Authn/UserPassword as the example in https://wiki.shibboleth.net/confluence/display/SHIB2/IdPDevExtLoginHandler

This approach is working, I tested a few scenarios and worked as expected.

What do you think about it? Do you see any inconvenience on it?

Thanks in advance
Sol