Shibboleth Developers

["Scott Cantor" <>]

> "A directive with the OR_AUTHCFG bit set may appear in the server-wide
> configuration files (e.g., httpd.conf) inside <Directory> or <Location>
> containers, and in .htaccess files when the scope is covered by an
> AllowOverride AuthConfig keyword.
> "
> So to use it 'globally' I need to make sure the global scope is covered
> by "AllowOverride AuthConfig". Is that possible? If not: great solution,
> but not extremely practical (alternative options?).

I thought AllowOverride only applied to content settings. If you use it
globally, you're outside any specific content block, so it should be
separate from those override rules. Or so I thought.

I can play with it. I didn't want it to be just a server setting, since it
affects application access to the data, ir might be different per
application tree.

> dev-discussion about https://bugs.internet2.edu/jira/browse/SSPCPP-22 :
> "attribute aliases not available anymore"
> This creates a (the only I noticed so far) compatibility issue, but I

It's a pretty minor one that you can fix by editing your htaccess rules when
you upgrade, that doesn't seem all that onerous (compared to changing apps).
For sites using the normal "or" logic, you can just add rules, in fact,
ahead of time, with the new names. I really had no idea anybody was even
widely using the feature, I find htaccess rules useless for real
applications.

> agree that it should be encouragement to switch to the safer environment
> variables option. However it would be superb if we would be able to
> offer both methods at the same time. This will not only easy
> compatibilty, but will allow everybody to 'port' their applications
> piece-by-piece.

There is no place to put what used to be the alias. I have no place to
configure it (I'd have to hack it into the extraction file) and I don't
really have the information handy as part of the attributes to use. It would
be a rather ugly change that I was really hoping to avoid.

I just don't consider the htaccess support to be "core" to the system. It's
just kind of there as an extra for older apps, and they use require
user/group anyway. In particular, do you have actual *partners* using it?
Real commercial sites? I'd be quite surprised by that.

> The best technical solution I see:
> * "ShibUseEnvironment On" + "ShibUseHeaders On" (default On+Off)

That's separate from the alias question, but why would you want to do both,
what would it accomplish for you that simply setting the one setting on/off
for different content wouldn't do? I didn't expect people to immediately use
the environment option if they have older apps, certainly. But I assumed
people would just tweak some htaccess files and make the IDs match their old
header names until they want to change them.

> * being able to define an attribute twice with different ID's in the
> attribute map (or something like that): this should solve a big pool of
> (future) compatibility problems.

Same question...what's the use case you're trying to solve, apart from the
lack of an alias? Duplicating all the data in memory is a pretty large price
to pay just avoid changing a file.
 
Note that the extraction is configured per-app, so if you had multiple
applications and one needed one set of names and the other needed a
different set, you can just use separate applicationIds for that, and create
old and new attribute maps.

The main reason I don't like all this screwing around is that using the
single ID is a really nice and important simplification for the system, both
SP and IdP. I really don't want to lose that. I think the alias thing was
very confusing.

-- Scott