Shibboleth Developers

["Scott Cantor" <>]

> The authentication sevlet supports multiple authentication 
> modes and shibboleth is one of them.
> For example:
> http://find.gale.com/auth/authentication.do?usergroupname=shib

Ok.... could that command redirect me to a protected page that itself is
wrapped with mod_shib?

> In this case based on the authentication profile setup for 
> usergroupname the servlet will decide how to authenticate 
> him. shibboleth may be one of the mode. So by protecting the 
> servlet , it will prompt shibboleth for every user which we 
> don't need.

Not true anyway, you could use lazy sessions. If the user comes in with
usergroupname=foo, you do one thing, but if they come in with
usergroupname=shib, you check for a session, if not request one, and then
kick off a local session when the user comes back the second time with the
right data from mod_shib.

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession

You don't have to use URL-based session creation, is the point.

My big concern is that I don't think what you're asking is the right
question...if you make your servlet URL responsible for SAML processing,
then you've blocked all non-Shib access to it. That's what you're trying not
to do. The ACS by definition is served by mod_shib. Nothing at that URL can
ever run.

-- Scott