Shibboleth Developers

[Ian Young <>]

Scott Cantor wrote:

> Another question I have...Are you relying on the RequestMap settings to
> control the session requirements, or do you have an htaccess command
> (ShibRequireSession) in Apache somewhere to force that?

I am doing as much configuration as I can in shibboleth.xml as opposed 
to httpd.conf, on general principles (less Apache restarts, for one).

So, all I have in the appropriate virtual host clauses is:

    <Location /secure>
        AuthType shibboleth
        ShibRequireSession on
        require valid-user
    </Location>

> What happens if you put ShibExportAssertion On in that same spot? Does IE
> then show it exporting the assertion regardless?

Yes, if I take the extra <Host> element out of my shibboleth.xml and put 
this in httpd.conf:

    <Location /secure>
        AuthType shibboleth
        ShibRequireSession on
        ShibExportAssertion on
        require valid-user
    </Location>

... then I get the assertion exported on the first page even though the 
port is still being shown as 8446.

> If so, I would say that reinforces that the RequestMap process is failing on
> that first page access because the scheme isn't coming back from Apache
> correctly, while inline native command processing turns on those flags
> directly.

Seems like it.

OK, so now I have an explanation, two separate workrounds and Apache to 
blame.  Should I just leave it there or do you want some kind of 
placeholder bugzilla entry?

        -- Ian