Shibboleth with custom web application's own SignOn mechanism

Question

We are developing a web application that has its own SignOn mechanism (login mechanism using username and password). The SignOn mechanism is implemented using a Web Application Filter)

The web application container is Apache Tomcat 6.0

The User may also choose to login through Shibboleth authentication. That is, to access our Web Application, the user may choose either be authenticated using Shibboleth, or using our own SignOn mechanism which is web application filter-based.

Is it technically feasible to support both Shibboleth Authentication, and a Web Application Filter based SignOn mechanism?

If it's feasible, from the Web Application Filter side, how do we check if a user was authenticated already by Shibboleth? Is there some Shibboleth Authentication token, or Shibboleth User session?

Thanks.

Answer 1

I assume that you refer to Shibboleth SP (the Service Provider component) and also that you will need Shibboleth IdP (an Identity Provider) to provide the actual authentication.

...And yes, it is feasible and the two methods can easily coexist.

When the user is successfully authenticated by Shibboleth SP (using the Identity Provider) it place the well-known session attributes in the HTTP request attributes and headers.

You can view the session attributes visiting:

https://your-host/Shibboleth.sso/Session 

So, Inside your application you can check the presence and the value of those attributes like:

request.getAttribute("NAME_OF_THE_ATTRIBUTE_IN_SESSION")
request.getHeader("NAME_OF_THE_ATTRIBUTE_IN_SESSION")

Then, using Shibboleth attributes you can do the necessary operations to allow or deny the user authentication.

See this official wiki to understand how "Shibbolize" an Application and this for accessing attributes.

I would recommend to start reading from the start this clear and comprehensive wiki on Shibboleth SP and IdP installation and configuration.