Shibboleth Developers

[<>]

How does it work for tomcat ? Is the servlet filter based ACS provided in 
http://shibboleth.internet2.edu/downloads/JavaSP/shibboleth_eclipse.htm 
released ?


regards
Johnson
-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Wednesday, May 17, 2006 5:51 PM
To: 

Cc: Steinberg, Dan (Gale); Rengarajan (Kumar), Selva (Gale)
Subject: RE: Browser/POST issue


> The authentication sevlet supports multiple authentication 
> modes and shibboleth is one of them.
> For example:
> http://find.gale.com/auth/authentication.do?usergroupname=shib

Ok.... could that command redirect me to a protected page that itself is
wrapped with mod_shib?

> In this case based on the authentication profile setup for 
> usergroupname the servlet will decide how to authenticate 
> him. shibboleth may be one of the mode. So by protecting the 
> servlet , it will prompt shibboleth for every user which we 
> don't need.

Not true anyway, you could use lazy sessions. If the user comes in with
usergroupname=foo, you do one thing, but if they come in with
usergroupname=shib, you check for a session, if not request one, and then
kick off a local session when the user comes back the second time with the
right data from mod_shib.

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession

You don't have to use URL-based session creation, is the point.

My big concern is that I don't think what you're asking is the right
question...if you make your servlet URL responsible for SAML processing,
then you've blocked all non-Shib access to it. That's what you're trying not
to do. The ACS by definition is served by mod_shib. Nothing at that URL can
ever run.

-- Scott