Shibboleth Developers

["Scott Cantor" <>]

> > ... you definitely have to
> > deliver them all at once in one response, whether it's push or pull.
> 
> Why?

Because that's what I built. The project need was for a web server filter,
not a query tool. Queries are buried inside the cache and attribute push was
implemented by short-circuiting the query. There is no interface for adding
data to a session except a refresh, which is a replace operation and barely
works as it is.

Since there is no way to expose any of this outside the web server in a
non-Java container, I've considered some kind of internal web redirect to
invoke additional queries from outside the system, but it's a lot of work
and it's sure not happening now.

>  This is the very same question we (GridShib) faced when
> designing GridShib for Globus Toolkit a year ago.  We had hoped to
> leverage the (standalone) attribute requester component of the Java SP
> in Globus Toolkit, but of course the Java SP never materialized,

You would have been asking the same question and getting the same answer.
There'd be a cache invisibly performing one query per session and it would
have had the same limitations. May still in fact.

> So there's no way to make the C++ SP function like a standalone
> attribute requester?

Can mod_auth_ldap perform stand-alone queries? If so, they're a lot more
creative than I am.

-- Scott