<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<p class="MsoNormal">Hi Justin,</p>
<p class="MsoNormal">Thank you for the provided links!</p>
<p class="MsoNormal">Now it is clear that possible to replace the backend user repository and to use LDAP.</p>
<p class="MsoNormal">Now I want to replace the form authentication to something else.
</p>
<p class="MsoNormal">I have tested and I see that the security:http-basic element works perfect.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Will it be possible to support advanced authentication like SAML2 (we will
<span style="mso-spacerun:yes"> </span>create / reuse SAML2 authenticator)?</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>Michael</p>
</div>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Friday, September 2, 2016 1:42 PM<br>
<b>To:</b> Michael Furman<br>
<b>Cc:</b> mitreid-connect@mit.edu<br>
<b>Subject:</b> Re: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.</font>
<div> </div>
</div>
<div>Oh, that’s different, then — you’re really just changing the primary authentication mechanism, which is controlled by the user-context.xml file as you’ve found. You’ll also need to set up the UserInfoService to point to somewhere that can look up user
information for you at runtime.
<div class=""><br class="">
</div>
<div class="">Take a look at the LDAP-based server or the MIT server for examples on how to do this:</div>
<div class=""><br class="">
</div>
<div class=""><a id="LPlnk708490" href="https://github.com/mitreid-connect/ldap-openid-connect-server" class="">https://github.com/mitreid-connect/ldap-openid-connect-server</a></div>
<div class=""><a href="https://github.com/MIT-Mobile/oidc.mit.edu/" class="">https://github.com/MIT-Mobile/oidc.mit.edu/</a></div>
<div class=""><br class="">
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Sep 1, 2016, at 6:11 PM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Hi Justin,<br class="">
Thank you!</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I just want to override user-context.xml and configure in addition to security:form-login additional authentications.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">For example security:http-basic.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Why it is not possible?</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I do not need the client and rp never see the basic authentication header (or the Kerberos tickets) but I need IDP will see it. </div>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
</div>
<br class="">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="" style="">
<hr tabindex="-1" class="" style="display:inline-block; width:886.890625px">
<div id="divRplyFwdMsg" dir="ltr" class=""><font class="" style="font-size:11pt" face="Calibri, sans-serif"><b class="">From:</b><span class="Apple-converted-space"> </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, September 1, 2016 5:18 PM<br class="">
<b class="">To:</b><span class="Apple-converted-space"> </span>Michael Furman; <a href="mailto:mitreid-connect@mit.edu" class="">
mitreid-connect@mit.edu</a><br class="">
<b class="">Subject:</b><span class="Apple-converted-space"> </span>RE: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.</font>
<div class=""> </div>
</div>
<div class="">
<div class="">No, this won't work and isn't using OAuth properly. You don't want the client app to intercept the credentials, you can have the server accept them directly. We've deployed the server using Kerberos authentication, but the client and rp never
see the Kerberos tickets. </div>
<div class=""><br class="">
</div>
<div id="composer_signature" class="">
<div class="" style="font-size:14px; color:rgb(87,87,87)">--Justin</div>
<div class="" style="font-size:14px; color:rgb(87,87,87)"><br class="">
</div>
<div class="" style="font-size:14px; color:rgb(87,87,87)"> <i class="">Sent from my phone</i></div>
</div>
<div class=""><br class="">
</div>
<div class="" style="font-size:16px">
<div class="">-------- Original message --------</div>
<div class="">From: Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>><span class="Apple-converted-space"> </span></div>
<div class="">Date: 9/1/16 4:46 PM (GMT+02:00)<span class="Apple-converted-space"> </span></div>
<div class="">To: <a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><span class="Apple-converted-space"> </span></div>
<div class="">Subject: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.</div>
<div class=""><br class="">
</div>
</div>
<div id="divtagdefaultwrapper" class="" style="font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Hi all,</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I want to extend mitreid-connect IDP and to support additional authentication schemas, like Basic Authentication (or Kerberos).</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I read the following document:</div>
<pre class=""><a id="LPlnk829346" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration</a></pre>
<br class="">
<div class="" style="margin-top:0px; margin-bottom:0px">In the current version we have RestAPI clients that accesses our application with Basic Authentication.<br class="">
<br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I just want to ensure the following flow will work when we will start to use OpenID-Connect.<br class="">
<br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">1)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>A
RestAPI client accesses RP (our application) with the Basic Authentication header</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">2)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>RP
redirects the request to mitreid-connect IDP using OpenID-Connect protocol</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">3)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>The
modified mitreid-connect IDP authenticates the request using the Basic Authentication header.</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">4)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>mitreid-connect
IDP redirects request back using OpenID-Connect protocol</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">5)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>RP
(our application) authenticates the request using OpenID-Connect protocol</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Also, I hope the same flow will work for other authentication schemas (e.g. Kerberos).</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you in advance for your help.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</body>
</html>