Shibboleth Developers

["Scott Cantor" <>]

> After talking with the Lighttpd crowd I was told that a shib module
> would not be a good ideia since their server is event-driven
> (single-threaded) so the external calls would freeze the 
> server... They recommended it to be written as a FastCGI app.

The whole point of the code base is session management and exporting
attributes to each request. You can't do that from a CGI. Only the actual
SAML message traffic could be processed as a CGI, but then you're at a dead
end, there's nowhere to put the data.

A CGI approach would require an API-based SSO design. I confess that I don't
understand that model, that's one reason I don't use it. I've tried many
times to grasp what it would even look like, particularly in an
attribute-based system where you have more than just REMOTE_USER to juggle.

BTW, I'm not sure what you mean by "external calls". I can see that the
artifact profile would probably be a bad fit, but basic POST wouldn't be a
big deal. If you can't run code that runs fast on each request, I think the
server has a design problem when it comes to any form of authentication.

> Will this Shibtarget interface change a lot for the coming 
> Shibboleth 2.0?

Completely changed, but it will not support what you're describing in any
reasonable way. You probably want to look at zxid.org

-- Scott