Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Shibboleth and WebAuth II

Russ Allbery eagle at
Thu Jul 14 10:29:06 PDT 2011

Petr Grolmus <indy at> writes:

> we are using WebAuth for authentication in Shibboleth - which works
> fine. But now we have one special application - a certificate authority
> that issue personal digital certificates. This application just before the
> final issuing try to re-authenticate user (to make sure, that user is
> still the same, that initiated the issue process) in intention of
> Shibboleth terminology.

>     Of course, in this case nothing happens - WAS still has its cookie and
> Shibboleth re-authentication does not proceed. This leads to an error and
> user never gets his certificate...

What error?  Normally, Shibboleth doesn't have any visibility into how
WebAuth authenticates the user.  Is the code looking at the authentication
time or something like that?

>     Did someone already try to solve this problem - forced Shibboleth
> re-authentication in WebAuth??

WebAuth has a corresponding Apache directive to force reauthentication:
WebAuthForceLogin.  The trick is getting the Shibboleth authentication for
this application to use it.  The easiest way would be if you can convince
Shibboleth, through one method or another, to go to a different login URL
on the IdP for this case, so that you could configure that different login
URL to use forced authentication.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list