Configuring the IdP for External Authentication System User Authentication

This login handler supports the use of an external (to the IdP) authentication mechanisms that is integrated with the web server, Servlet container, or IdP.

This login handler requires additional code to be written in order to trigger the external authentication system. If you're simply looking to authenticate based on the presence of the REMOTE_USER header use the Remote User login handler.

How It Works

This login handler forwards to a configurable (see below) URL. A custom-developed Filter, Servlet, or JSP must then trigger the external authentication system in whatever manner is appropriate for that system. Once completed, the custom-developed code must then set the HttpServletRequest attributes required by the edu.internet2.middleware.shibboleth.idp.authn.LoginHandler interface and invoke edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest,HttpServletResponse.

When the IdP invokes the configured URL the following HttpServletRequest attributes will be available:

The external authentication system must honor the request for forced and/or passive authentication.

Define the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="ExternalAuthn"> with the following required attributes:

This login handler configuration element also supports the following optional attributes:

Additionally the login handler must contain one or more <AuthenticationMethod> elements that contain authentication method(s) serviced by the login handler.

<ph:LoginHandler xsi:type="ph:ExternalAuthn"
                 supportsForcedAuthentication="true" >