question regarding context check intercept

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

question regarding context check intercept

Losen, Stephen C. (scl)-2
Hi folks,

We have a LDAP "TODO" attribute that is a reminder for new students to complete various required tasks, such as taking IT security awareness training. The attribute has a value for each task with the format:

task-description;URL-of-task;deadline

If the user has any unfinished tasks, then we want the IDP to display a reminder page listing the tasks.  The user can click a task URL and go to the task. If none of the task deadlines has passed, then the reminder page has a "continue" button to continue the current authentication.  But if any deadline has passed, then the page has no "continue" button and the current authentication cannot complete.

Most required tasks use the IDP for authentication, so we will whitelist them to avoid looping.

Sounds like I need a Context Check Intercept and a velocity view to display the tasks. This would work fine in the case where a deadline has passed (no "continue" option).  However, I do not think that a CCI can resume the current authentication if the user selects "continue".  What data would the view POST and to what URL?

Can I somehow use the terms-of-use flow?  Or do I need to write my own custom flow for this?  If a custom flow, can I use XML and scripts to avoid writing java code?

We are running IDP 3.3.2.  Maybe this will be easier in 3.4 ?


Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: question regarding context check intercept

Cantor, Scott E.
> Sounds like I need a Context Check Intercept and a velocity view to display
> the tasks. This would work fine in the case where a deadline has passed (no
> "continue" option).  However, I do not think that a CCI can resume the
> current authentication if the user selects "continue".  What data would the
> view POST and to what URL?

Its entire design is based on triggering an error event. It doesn't display anything unless that event happens and then it's up to the error layer. It's impossible to resume anything once that happens or there would be a bug (though I still maintain a suspicion that trying to prevent the IdP from issuing assertions is something that I wouldn't personally count on being absolutely bulletproof in the face of a determined user).

> Can I somehow use the terms-of-use flow?

Very awkward at best I would think.

>  Or do I need to write my own
> custom flow for this?  If a custom flow, can I use XML and scripts to avoid
> writing java code?

Depends on what the flow had to do, at some point it becomes silly to avoid doing in Java something that is much more work to do other ways. We have scripted action support so it's possible to script just about anything but that's not meant to be used for extensive work. But I doubt there's any code involved here. The LDAP part is just resolving an attribute and the flow itself is pretty much checking the attribute and then either entering a view-state or just doing nothing.

> We are running IDP 3.3.2.  Maybe this will be easier in 3.4 ?

Not in any way I can think of really.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]