Shibboleth Developers

["Scott Cantor" <>]

In case anybody is itching to test this, I've checked in the NSAPI filter on
the 1.2 branch (Rel_1_2) and it seems to build on Windows and at least
Fedora against Win/IPlanet 4.x and Linux/SunWS 6.1. It will be ported to
HEAD but using Derek's new API design instead of this, which is 90%
duplicated (triplicated?) code.

I don't plan to do a formal release of this code branch before then, but I'm
going to use it in production, so I'll be maintaining it.

The configure option is --with-nsapi=/<installroot>

I have tested the filter on Windows, but not on Linux yet.

To install it, use the usual config files:

magnus.conf:
Init fn="load-modules" funcs="nsapi_shib_init,nsapi_shib,shib_handler" \
        shlib="/opt/shibboleth/libexec/nsapi_shib.so"
Init fn="nsapi_shib_init" server-name="<server hostname>"

server-name lets you tell the filter what name to use in redirects. If you
vhost, name-based hosts can determine their own name, otherwise you need
this to canonicalize the name.

mime.types:
type=magnus-internal/shibboleth  exts=shire

obj.conf:
In the default object definition, activate the POST handler:
Service fn="shib_handler" method="(GET|POST)" \
        type="magnus-internal/shibboleth"

Protect content with:
AuthTrans fn="nsapi_shib" require-session="1"

The require-session and export-assertion params are equivalent to using the
RequestMap stuff, like with the Apache commands, in case you already use
obj.conf to do similar SSO things.

Have fun, Merry Christmas, don't say I never gave you anything, etc.

-- Scott