Shib with REST and AJAX Best Practices

Russell J Yount rjy at
Tue Sep 13 14:29:35 BST 2011

* Peter Schober <peter.schober at>, Tuesday, September 13, 2011 9:05 AM
> Not sure what setup/scernario exactly you have in mind but for REST as in "non-browser access to shib proteced resources" the usual answer is to not use the SAML profile explicitly designed for web browser access, but use ECP instead.

In our cast the Javascript running in a user's browser is communicating with an Ruby on Apache web server. 

* Peter Schober <peter.schober at>, Tuesday, September 13, 2011 9:05 AM
> Sounds a bit like Voodoo. Lifetime specifies is an upper limit for the session to be valid, timeout an inactivity limit between requests for the session to remain active. If the upper limit is lower than the inactivity limit you're simple not making use of the latter (and might
as well disable the check with timeout="0", like the documentation says).

We tried timeout="0", but that broke shibboleth authentication.

Peter Schober <peter.schober at>, Tuesday, September 13, 2011 9:11 AM
>Leaving session management for your protected resource to the application (instead of the webserver by means of mod_shib) does not avoid the app having to authenticate /somewhere/ once correctly. It just means you'll have two sessions to take care of, one of which can be forgotten about (low timeout value) after a minute or two.

The thinking was the application could have better control or when re-authentication happen.


More information about the users mailing list