Discussion:
shib-cas-authn2 and forceAuthn
Scott Koranda
2014-09-09 03:37:35 UTC
Permalink
Hello,

I have deployed the current version of shib-cas-authn2 with the
Shibboleth IdP 2.4.0 and CAS 4.0.0 following the instructions at

https://github.com/Unicon/shib-cas-authn2

Delegation to CAS appears to be working fine. The CAS login handler is
the only login handler defined in handler.xml (outside of the previous
session handler--I understand the implications of leaving that defined
and it will most likely be removed later) and the standard
authentication flow is working as expected.

The attraction of the shib-cas-authn2 approach over the REMOTE_USER
approach is support for SAML2 forced reauthentication and isPassive.

I do not, however, see any instructions at

https://github.com/Unicon/shib-cas-authn2

on how to configure the login handler to support either forced
reauthentication or isPassive.

I decided to simply try it and used a Shibboleth SP and the Native SP
session creation parameter 'forceAuthn=1'. This resulted in a SAML
error sent by the IdP and the log message

"Force authentication requested but no login handlers available to support it".

How do I configure shib-cas-authn2 to respond appropriately to
AuthnRequests with forced reauthentication or isPassive?

I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see

setSupportsForceAuthentication()

and

setSupportsPassive()

They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?

Thanks,

Scott K
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-09-09 03:41:40 UTC
Permalink
Post by Scott Koranda
I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see
setSupportsForceAuthentication()
and
setSupportsPassive()
They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?
I can't speak to that handler, but I can confirm that those do have to be
set at construction time, the IdP walks the handler list looking for one
that reports it can support it.

For the handlers in the IdP, it's controlled with an XML attribute in the
LoginHandler element.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Misagh Moayyed
2014-09-09 16:22:03 UTC
Permalink
Thanks for clarification. This indeed is something we should fix with the
handler to set support for both flags during the ctor call rather than
during login().

We'll take this up shortly and will also update the documentation to note
how these flags are auto-set by the handler.

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org]
On Behalf Of Cantor, Scott
Sent: Monday, September 8, 2014 8:42 PM
To: Shib Users
Subject: Re: shib-cas-authn2 and forceAuthn
Post by Scott Koranda
I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see
setSupportsForceAuthentication()
and
setSupportsPassive()
They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?
I can't speak to that handler, but I can confirm that those do have to be
set at construction time, the IdP walks the handler list looking for one
that reports it can support it.

For the handlers in the IdP, it's controlled with an XML attribute in the
LoginHandler element.

-- Scott

--
To unsubscribe from this list send an email to
users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Misagh Moayyed
2014-09-16 15:41:25 UTC
Permalink
In reference to the issue of configuring support for both forced and
passive authentication in the CAS login handler, thought I'd point out
that the issue is now fixed here:
https://github.com/Unicon/shib-cas-authn2

-----Original Message-----
From: Misagh Moayyed [mailto:mmoayyed-CMmZ9rwbF3asTnJN9+***@public.gmane.org]
Sent: Tuesday, September 9, 2014 9:21 AM
To: 'Shib Users'
Subject: RE: shib-cas-authn2 and forceAuthn

Thanks for clarification. This indeed is something we should fix with the
handler to set support for both flags during the ctor call rather than
during login().

We'll take this up shortly and will also update the documentation to note
how these flags are auto-set by the handler.

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org]
On Behalf Of Cantor, Scott
Sent: Monday, September 8, 2014 8:42 PM
To: Shib Users
Subject: Re: shib-cas-authn2 and forceAuthn
Post by Scott Koranda
I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see
setSupportsForceAuthentication()
and
setSupportsPassive()
They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?
I can't speak to that handler, but I can confirm that those do have to be
set at construction time, the IdP walks the handler list looking for one
that reports it can support it.

For the handlers in the IdP, it's controlled with an XML attribute in the
LoginHandler element.

-- Scott

--
To unsubscribe from this list send an email to
users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...