Shibboleth Developers

[Scott Cantor <>]

I have this page set to allow any valid-user:

https://shib1.internet2.edu/cgi-bin/env.pl

It's currently pointing at my old sample WAYF, but I updated the
Internet2 entry to use the new HS on shib2. The new WAYF should be up
soon.

Rough feature outline, most of which is untested...

- changed module name to force people to revisit their configuration
- uses a URL to redirect to WAYF, can be anywhere/anything
- per-directory override of session lifetime and timeout
- inline, compiled support for three attributes, EPPN, affiliation, and
entitlement, including passing them into the headers and mod_auth-style
authorization by specifying the attribute URI name:

requires urn:mace:eduPerson:1.0:eduPersonAffiliation 


A simple follow-on RM could add dynamic mapping of attribute name to
rule "tag" name to shorten them up.

It also uses a totally rewritten caching engine that supports in-memory
caching of SHIRE sessions and complete attribute caching (it actually
just caches the SAML responses passed back by OpenSAML's SOAP binding,
which was the design I had in mind, so the code is rather trivial). It
doesn't handle app domains yet, but that's a fairly small change. It
also needs some garbage collection, but Apache children die quickly
anyway, so it's not a big deal for now.

Personally, I think it's the right design for the "real" cache, whether
it's moved out of process or not. Were I coding it (and I may yet), I
would simply build new implementations of the classes that use an
IPC/RPC to talk to the SHAR, and then reimplement the in-memory version
inside there. A database would be overkill, but would be a simple change
inside those classes. I hope to never require such a beast.

All of the SAML work is encapsulated in the caching engine. The module
just determines the session ID and says "give me the attributes" and
gets back a set or an exception.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--