shibboleth-dev - Re: 1.3 SP SessionInitiator feature
Subject: Shibboleth Developers
List archive
- From: Brent Putman <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: 1.3 SP SessionInitiator feature
- Date: Wed, 15 Jun 2005 16:28:41 -0400
Scott,
Thanks for all the good info. That all makes sense, and I have it all working fine now. This is a pretty cool feature. Just a couple of things:
Heh, it's in the code! Seriously, I have a comment in there:
* Binding is CGI query string with:
* target the resource to direct back to later
* acsIndex optional index of an ACS to use on the way back in
* providerId optional direct invocation of a specific IdP
Invoking the handler with a specific IdP providerId URL query parameter only seems to work for me if that providerId lives in new 1.3-style metadata. If it lives in a 1.2-style sites file metadata, it doesn't find it, even though the IdP's in that metadata work fine otherwise (if you go to their WAYF, etc). The web output and log error includes:
Session Initiator Error: Session initiator unable to locate a Shibboleth-aware identity provider role for provider
In looking at the code in shib-handlers.cpp around line 204, this would appear to be expected, since it only looks for an IDPSSODescriptor? Is this a bug or a feature? :-)
requestSessionWith?
This isn't for lazy sessions, it's for telling the software instead of just
to require a session that it should get the new session by using the named
initiator. Each initiator can have its own wayfURL. So technically what it
does is allow the SP to figure out up front via a URL trick or something
which WAYF to use and then you can use requireSessionWith to get to the one
you want. It's to avoid needing multiple applications just to have multiple
WAYFs configured. Whether it's useful I dunno, but it fell out of the design
without doing a lot of work.
Ah! The reason I couldn't find this and was confused about what it was all about is that the shibboleth.xml comments reference "requestSessionWith", but the code and XML schema use "requireSessionWith". So my searching for the former was futile. I just happened to notice the latter, now it all makes sense. So there's a bonafide documentation bug report for ya.
Thanks,
Brent
- 1.3 SP SessionInitiator feature, Brent Putman, 06/15/2005
- RE: 1.3 SP SessionInitiator feature, Scott Cantor, 06/15/2005
- Re: 1.3 SP SessionInitiator feature, Brent Putman, 06/15/2005
- RE: 1.3 SP SessionInitiator feature, Scott Cantor, 06/15/2005
- Re: 1.3 SP SessionInitiator feature, Brent Putman, 06/15/2005
- RE: 1.3 SP SessionInitiator feature, Scott Cantor, 06/15/2005
Archive powered by MHonArc 2.6.16.