Módosítások

* When SP does not specifically request an authentication method, the user should have the choice between supported authentication modes. * One can tweak the UsernamePassword login page to have links for X.509 authentication servlet and end up with three different authentication handlers: ** UsernamePasswordX509 hybrid handler with 'unspecified' authentication method class. This handler invokes the UsernamePasswordX509LoginServlet which takes care of user choices on the extended login page. ** RemoteUser login handler with protected servlet location /Authn/X509, where our custom X.509 authentication servlet lives. ** UsernamePassword login handler. * These last two login handlers must ensure that the corresponding authentication method class is set in the Shibboleth request. When user authenticates with X.509, clients would receive the X509 class, and with UsernamePassword, they would receive PasswordProtectedTransport, respectively. * Playing with Shibboleth login handlers and authentication contexts revealed that Shibboleth IdP can not properly support default authentication methods, and our hybrid handler with its 'unspecified' authentication method is invoked on every authentication request, even when the user has a valid previous session. Fixing SIDP-265 with our proposed patch corrected this flaw. * When the SP requires a specific authentication method, the IdP should make sure the user can not override the requested method, implementation of Shibboleth IdP issue SIDP-258 is needed for this.