Configuring the IdP for Previous Session Authentication

This authentication method comes preconfigured with the IdP and is invoked every time the IdP uses a user's existing IdP session as the proof of authentication.

Removal of the PreviousSession login handler will disable SSO support if you are relying on Shibboleth for session management.

Defining the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="PreviousSession">.

The following optional attributes are supported:

reportPreviousSessionAuthnMethod - indicates whether the SAML2 PreviousSession authentication method should be reported to the SP; the default is to report one of the methods originally used to authentication to the IdP that is also supported by the SP.
servletPath - indicates a Servlet to which the browser should be redirect
supportsPassiveAuthentication - indicates whether this handler supports passive authentication; this is only meaningful if the servletPath attribute is also used (default value: false)

Additionally the login handler must contain one or more <AuthenticationMethod> element whose content is the authentication method(s) serviced by the login handler.

Example PreviousSession Authentication Handler Configuration

<LoginHandler xsi:type="PreviousSession">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthenticationMethod>
</LoginHandler>

Browser not supported