Shibboleth Developers

[André Cruz <>]

Hello all.

Some time ago I wrote a Shib SP module for the LighttpD web server. I  
wasn't happy with the result because of the single-threaded model  
that lighttpd uses as it would block the entire web server processing  
when a callback occured.

Hence, I wrote a fastcgi application for this. It consists of 2 modules:

-  a fastcgi responder (shibresp) that handles the HandlerURL (sorry  
about the language :) )
- a fastcgi authorizer that acts as a filter and does the usual  
(authN, export assertions and authZ). The only difference is that the  
attributes are exported as environment variables for the underlying  
application, this is a fastcgi limitation but I think this is not a  
problem.

Bellow is a sample lighttpd snip of the configuration needed to get  
this to work:

  server.name = "your_server_name"
  alias.url += (
                  "/shibboleth-sp/logo.jpg" => "/usr/local/shib-sp/ 
doc/shibboleth/logo.jpg",
                  "/shibboleth-sp/main.css" => "/usr/local/shib-sp/ 
doc/shibboleth/main.css"
                  )

   server.document-root = "/servers/tags/www/"
    fastcgi.server  = (
      "/Shibboleth.sso" => (("socket" => "/tmp/fcgi-resp.sock", "bin- 
path" => "/servers/lighty/shibresp", "check-local" => "disable",  
"mode" => "responder", "bin-environment" => ( "SHIB_CONFIG" => "/usr/ 
local/shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/ 
local/shib-sp/share/xml/shibboleth"))),
      "/"   => (("socket" => "/tmp/fcgi-auth.sock", "bin-path" => "/ 
servers/lighty/shibauth", "check-local" => "disable", "mode" =>  
"authorizer", "bin-environment" => ( "SHIB_CONFIG" => "/usr/local/ 
shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/local/ 
shib-sp/share/xml/shibboleth"))),
      ".php" => (( "socket" => "/tmp/fgci-php.sock", "broken- 
scriptfilename" => "enable", "mode" => "responder")),
      ".xml" => (( "socket" => "/tmp/fgci-php.sock", "broken- 
scriptfilename" => "enable", "mode" => "responder"))
    )


I have a PHP application being served behind shibboleth. Note the env  
variables SHIB_SCHEMA and SHIB_CONFIG used to configure the fastcgi  
applications, this is mandatory.

Also, in the case of lighttpd, you need the patch for bug #322.  
(http://trac.lighttpd.net/trac/ticket/322).

This opens up some interesting possibilities as it can be used with  
any web server that supports the fastcgi specification and can be run  
remotely. I haven't yet thought much about these issues but am open  
to suggestions. You need the fcgi library in order to compile this.

I hope you find this useful, it is to me.

Regards,
André Cruz

Attachment: shibauthorizer.cpp
Description: Binary data

Attachment: shibresponder.cpp
Description: Binary data