Installation and
configuration of Shibboleth IdP v3 software using
external authentication
Last update 1 March 2017
The page serves as a reference only on using
external authentication mode of Shibboleth IdP v3 for
setting IdP to join the
HKAF. It is not a complete guideline, and configuration files and
implementation may vary depending on individual institution’s environment.
Basic Flow of External Authentication
The following describes the basic flow of
using external authentication of Shibboleth IdP v3.
In addition to other configuration files, you need to modify two configuration
files, “/opt/shibboleth-idp/conf/authn/external-authn-config.xml”, and “/opt/shibboleth-idp/conf/idp.properties”, and write an external authentication
procedure defined in the “external-authn-config.xml”.
The following show the
settings of two configuration files, “external-authn-config.xml”,
and “idp.properties” relating to external authentication mode.
Note that you may need to modify other settings for other purposes.
external-authn-config.xml
. . .
. .
. . .
. .
<bean id="shibboleth.authn.External.externalAuthnPath"
class="java.lang.String"
c:_0="contextRelative:/login" />
<!-- Populate RP UI info from metadata? -->
<util:constant id="shibboleth.authn.External.populateUIInfo"
static-field="java.lang.Boolean.FALSE"
/>
. . .
. .
. . .
. .
idp.properties
. . .
. .
. . .
. .
# Regular expression matching login flows to
enable, e.g. IPAddress|Password
#idp.authn.flows=
Password
idp.authn.flows = External
. . .
. .
. . .
. .
External Authentication Procedure
The External Authentication procedure acts an
interface between the external code and the IdP. The general flow is:
1.
Call ExternalAuthentication.startExternalAuthentication(HttpServletRequest),
saving off the result as a key.
2.
Do work as necessary
(reading request details from the attributes below). Any redirects must
preserve the key value returned in step 1 because it must be used to complete
the login later.
3.
Set request attributes
to communicate the result of the login back.
4.
Call ExternalAuthentication.finishExternalAuthentication(String, HttpServletRequest, HttpServletResponse). The first parameter is the key
returned in step 1.
Some pseudocode for a servlet implementation
of this interface is below:
try {
final String key = ExternalAuthentication.startExternalAuthentication(httpRequest);
String username = httpRequest.getRemoteUser();
if (username != null) {
httpRequest.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY,
username);
}
ExternalAuthentication.finishExternalAuthentication(key, httpRequest, httpResponse);
}
catch (final ExternalAuthenticationException e) {
throw new ServletException("Error
processing external authentication request", e);
}
References
For more information, you may go to this.