Search Mailing List Archives
Shibboleth and WebAuth II
eagle at windlord.stanford.edu
Thu Jul 14 10:29:06 PDT 2011
Petr Grolmus <indy at civ.zcu.cz> writes:
> we are using WebAuth for authentication in Shibboleth - which works
> fine. But now we have one special application - a certificate authority
> that issue personal digital certificates. This application just before the
> final issuing try to re-authenticate user (to make sure, that user is
> still the same, that initiated the issue process) in intention of
> Shibboleth terminology.
> Of course, in this case nothing happens - WAS still has its cookie and
> Shibboleth re-authentication does not proceed. This leads to an error and
> user never gets his certificate...
What error? Normally, Shibboleth doesn't have any visibility into how
WebAuth authenticates the user. Is the code looking at the authentication
time or something like that?
> Did someone already try to solve this problem - forced Shibboleth
> re-authentication in WebAuth??
WebAuth has a corresponding Apache directive to force reauthentication:
WebAuthForceLogin. The trick is getting the Shibboleth authentication for
this application to use it. The easiest way would be if you can convince
Shibboleth, through one method or another, to go to a different login URL
on the IdP for this case, so that you could configure that different login
URL to use forced authentication.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
More information about the webauth-info