I want to know how to access application data (e.g. user name) from idP. I've successfully installed the following Components:
- Apache HTTP, mod_jk, Tomcat
- Shibboleth SP (at external system)
- Shibboleth idP (at Tomcat)
- my LDAP
- my Application, which uses Spring security (at Tomcat)
The whole thing works fine, so it's possible to send a request to the SP which redirects to the idP. As expected the default login page is displayed and it is possible to log in with user and password over LDAP. But this is not what I need. It should be possible to log in without showing any login page! My idea is that the idP gets the user information directly from my application and redirects to the browser if the authentication was successful. Otherwise an "Access denied" page should be displayed.
First I wrote a Java Filter to extract the user information from the Spring context of my application and deployed it. It works fine, so I'm able to get the user information by calling a special URL defined in the filter mappings like "https://my.server.com:443/myapp/idp/crf". As you can see my application is running at Tomcat in the context "myapp" whereas the idP hat it's own context ("idp")!
Next step was to make some changes in the handler.xml. I wanted to force the idP to call my application by using the filter URL and get the user data as response attributes. Using the "RemoteUser" LoginHandler with attribute "protectedServletPath" was no solution because the LoginHandler does not support access to any other context than "/idp" (could be checked in idp-process.log: something like "https://my.server.com:443/idp/myapp/idp/crf" is called). So I tried the LoginHandler "ExternalAuthn" setting "externalAuthnPath" to the URL of my application filter. The idp-process.log says "Forwarding authentication request to https://my.server.com:443/myapp/idp/crf" which is correct. But in my browser the following message appears:
An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
Error Message: Invalid IdP URL (HTTP 404)
At last there are two questions:
Is it possible to access an application residing in another context than idP's context?
If yes, what has to be done?
Some Shibboleth users posted that you must modify the idP.war by adding your own handler (servlet) but I don't think that this is the solution. The same is for using cross context configuration in Tomcat (really?)