Hello, I would like share the final solution for this matter.
1. Understanding the context It is necessary to point out that there are two roundtrips from the Fediz IdP to the Fediz STS. In the first roundtrip, the credentials are validated (in a LoginModule) and an 'OnBehalfOf' assertion is created. This assertion is then used as an input for the second roundtrip. During the second roundtrip, the claims are retrieved (via a ClaimsHandler) and the final assertion is created. Therefore, the transfer of the information from the LoginModule to the ClaimsHandler must be done via the 'OnBehalfOf' assertion. A ThreadLocal variable is not an option because each request can (and usually is) handled in a different thread. 2. The solution The key to success is to configure a custom AttributeStatementProvider for the primary (authenticating) STS endpoint. The AttributeStatementProvider can then imprint the information that shall be forwarded to the ClaimsHandler. The transfer of data from the LoginModule to the AttributeStatementProvider can be done via a ThreadLocal variable since they are both invoked during the first roundtrip to the STS. I hope that someone finds this howto useful Kind regards, Filip Hofer -----Original Message----- From: Hoefer, Filip [mailto:[email protected]] Sent: Tuesday, January 21, 2014 1:16 PM To: [email protected] Subject: (Fediz) STS - passing info from LoginModule to ClaimsHandler Hello, I am implementing a custom LoginModule and a custom ClaimsHandler for the Fediz STS. The custom classes are integrated into Fediz via config files, no problem. However, I do not know how to pass information from my LoginModule to my ClaimsHandler. I create a custom Principal (with custom claims) in the LoginModule based on authentication via an external security server. The problem is that the ClaimsHandler always only receives a SAMLTokenPrincipal which will not give me access to the custom claims. So far, do not see any alternative to accessing user account via the identifier from SAMLTokenPrincipal.getName(). But that only gives me access to the static user account, not to the transient state created during login. Please let me know if I oversee something, any help is appreciated. Kind regards, Filip Hofer
