Shibboleth Developers

["Scott Cantor" <>]

> As long as you are touching that code maybe you can give me a few
> pointers regarding the ShibTarget API. :)

You're best source is just the Apache module.

> My plugin will be very simple in such that it will have only one
> configuration option (besides the config file and schema dir) 
> which will be the shib session:
> 
> pass - the plugin will not touch the request
> optional - it will fill the headers if there is a session and 
> empty them if not
> always - a shib session is mandatory and created if there is none

This is controllable by the RequestMap if that's all you want:

no authType
authType="shibboleth"
authType="shibboleth" and requireSession="true"

> So, no htaccess processing or attribute checks in the lighttpd config
> file, everything will be done on shibboleth.xml.

That's somewhat simpler than what the modules have to do, but that's more or
less how the ISAPI version works.

> I'm trying to find out what interfaces I will have to implement...
> ShibTarget is one of them. Will I need to implement IRequestMapper as
> well? I see some htaccess stuff on ApacheRequestMapper so I'm 
> not sure...

No, you would just leave the RequestMap in shibboleth.xml as the master. The
Apache module hijacks that plugin type to get it to build a version that
combines commands from different sources.

Your main job is getting the module to run and supplying the right canonical
URL information to the ShibTarget layer. That's your main job. If the client
can spoof the URL that is passed to the mapping layer, then the RequestMap
is useless.

To see how this works, take Apache, turn UseCanonicalName Off, and then set
up a host alias. Use the alias at your browser and you'll get right past any
access rules in shibboleth.xml

> On the initialization there are some features that are selected...
> 
> ShibTargetConfig::Listener
> ShibTargetConfig::Metadata
> ShibTargetConfig::AAP
> ShibTargetConfig::RequestMapper
> ShibTargetConfig::LocalExtensions
> ShibTargetConfig::Logging
> 
> Will I need the same features as mod_apache?

Yes.

> Sorry to bother you with these questions but this is not documented
> anywhere I could find. Maybe I can contribute to shibboleth with this
> plugin in the end.

That would be nice, but you'd have to sign the Internet2 contributor's
agreement before we could accept any code.

-- Scott

PS. You'll also need to have a way to virtualize the handlerURL
(/Shibbloleth.sso) and make sure that the doHandler routine in ShibTarget
fulfills any requests like that.