Skip to Content.
Sympa Menu

shibboleth-dev - RE: Browser/POST issue

Subject: Shibboleth Developers

List archive

RE: Browser/POST issue


Chronological Thread 
  • From: <>
  • To: <>
  • Cc: <>, <>
  • Subject: RE: Browser/POST issue
  • Date: Wed, 17 May 2006 18:47:02 -0400

How does it work for tomcat ? Is the servlet filter based ACS provided in
http://shibboleth.internet2.edu/downloads/JavaSP/shibboleth_eclipse.htm
released ?


regards
Johnson
-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Wednesday, May 17, 2006 5:51 PM
To:

Cc: Steinberg, Dan (Gale); Rengarajan (Kumar), Selva (Gale)
Subject: RE: Browser/POST issue


> The authentication sevlet supports multiple authentication
> modes and shibboleth is one of them.
> For example:
> http://find.gale.com/auth/authentication.do?usergroupname=shib

Ok.... could that command redirect me to a protected page that itself is
wrapped with mod_shib?

> In this case based on the authentication profile setup for
> usergroupname the servlet will decide how to authenticate
> him. shibboleth may be one of the mode. So by protecting the
> servlet , it will prompt shibboleth for every user which we
> don't need.

Not true anyway, you could use lazy sessions. If the user comes in with
usergroupname=foo, you do one thing, but if they come in with
usergroupname=shib, you check for a session, if not request one, and then
kick off a local session when the user comes back the second time with the
right data from mod_shib.

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession

You don't have to use URL-based session creation, is the point.

My big concern is that I don't think what you're asking is the right
question...if you make your servlet URL responsible for SAML processing,
then you've blocked all non-Shib access to it. That's what you're trying not
to do. The ACS by definition is served by mod_shib. Nothing at that URL can
ever run.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page