Versions Compared

Version Old Version 6 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleExternal interface with attributes in JSP
Code Block
languagejava
<%@ page pageEncoding="UTF-8" %>
<%@ page import="net.shibboleth.idp.authn.*" %>
<%@ page import="net.shibboleth.idp.attribute.*"%>
<%@ page import="net.shibboleth.idp.authn.principal.*"%>
<%@ page import="java.util.*"%>
<%@ page import="java.security.*"%>
<%@ page import="javax.security.auth.*"%>

<%
try {
    final String key = ExternalAuthentication.startExternalAuthentication(request);

    HashSet<Principal> principals=new HashSet<Principal>();

    principals.add(new UsernamePrincipal("bbarker"));

    //<DataConnector xsi:type="Subject" exportAttributes="mail eduPersonNickname" id="myId" />
    //<AttributeDefinition ... <InputDataConnector ref="myId" ...
    IdPAttribute attr=new IdPAttribute("eduPersonNickname");
    attr.setValues(Collections.singletonsingletonList(new StringAttributeValue("Bob Barker")));
    principals.add(new IdPAttributePrincipal(attr));

    attr=new IdPAttribute("mail");
    attr.setValues(Collections.singletonsingletonList(new StringAttributeValue("bbarker@example.org")));
    principals.add(new IdPAttributePrincipal(attr));

    request.setAttribute(ExternalAuthentication.SUBJECT_KEY,new Subject(false, principals, Collections.EMPTY_SET, Collections.EMPTY_SET));

    ExternalAuthentication.finishExternalAuthentication(key, request, response);

} catch (final ExternalAuthenticationException e) {
    throw new ServletException("Error processing external authentication request", e);
}
%>

...

Advanced Topics

Custom Events

TBD, for now refer to the same material in the Password login flow documentation.The API supports the signaling of custom errors and exceptions. The main purpose of this feature is to support the signalling of custom events from the login flow by mapping these errors into custom Web Flow events that become the result of the login flow, and can be handled either via MFA scripting or used to control eventual error handling within the IdP.

The actual handling of custom events is discussed in the AuthenticationConfigurationtopic. To actually signal such an event, you need to utilize the so-called “classified message map” feature that is common to a number of login flows.

The input to the mapping process comes from the output attributes defined in the API above, either “authnError” or “authnException”. The value of the former, or the exception message contained in the latter, is the input string. The output of the mapping process is the event you want to signal. If you completely control the input value because you are creating it yourself in your code, then the simplest thing to do is simply use the desired event as the “authnError” value. However, you still need to create the mapping bean because the IdP doesn’t know this is the event you want to signal.

The mapping process is controlled by a map bean you must create, named shibboleth.authn.External.ClassifiedMessageMap, typically in global.xml. The map keys are the event(s) you want to signal, and the map values are a list of strings to test the input values against to produce that event. In the simplest case, these can be the same thing. The matching is by substring so if any part of the map’s values are found in the input string, it will map to that entry’s key.

For example, if you want to use an “authnError” value of “MyCustomEvent” or trap an exception message containing the string “Error message you don’t control”, your map would look like this:

Code Block
languagexml
<util:map id="shibboleth.authn.External.ClassifiedMessageMap">
  <entry key="MyCustomEvent">
    <list>
      <value>MyCustomEvent</value>
      <value>Error message you don't control</value>
    </list>
  </entry>
</util:map>

Reference

Expand
titleBeans

Beans that may be defined in global.xml follow:

Bean ID / Type

Default

Description

shibboleth.authn.External.externalAuthnPathStrategy

Function<ProfileRequestContext,String>

Optional function that returns the redirection expression to use for the protected resource

shibboleth.authn.External.ClassifiedMessageMap

Map<String,List<String>>Remaps NoCredentials and InvalidCredentials into ReselectFlow for fall-through behavior

A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. See section above on Custom Events.

shibboleth.authn.External.resultCachingPredicate

Predicate<ProfileRequestContext>

Optional bean that can be defined to control whether to preserve the authentication result in an IdP session

...