Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

Configuring the IdP for Previous Session Authentication

This authentication method comes preconfigured with the IdP and is invoked every time the IdP uses a user's existing IdP session as the proof of authentication.

Removal of the PreviousSession login handler will disable SSO support if you are relying on Shibboleth for session management.

Defining the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="PreviousSession">.

The following optional attributes are supported:

  • reportPreviousSessionAuthnMethod - indicates whether the SAML2 PreviousSession authentication method should be reported to the SP; the default is to report one of the methods originally used to authentication to the IdP that is also supported by the SP.
  • servletPath - indicates a Servlet to which the browser should be redirect
  • supportsPassiveAuthentication - indicates whether this handler supports passive authentication; this is only meaningful if the servletPath attribute is also used (default value: false)

Additionally the login handler must contain one or more <AuthenticationMethod> element whose content is the authentication method(s) serviced by the login handler.

Example PreviousSession Authentication Handler Configuration
<LoginHandler xsi:type="PreviousSession">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthenticationMethod>
</LoginHandler>
  • No labels