enabling user specificed .htaccess files with Shibboleth

Cantor, Scott cantor.2 at osu.edu
Thu Aug 2 10:25:36 EDT 2012

On 8/2/12 9:34 AM, "Russell J Yount" <rjy at cmu.edu> wrote:
>The user cannot access it since they have a credential from IDP A already
>and Shibboleth does not seem to support changing which authenticated user
>they are even if user can login to IDP B.

Since there's no way for the SP to know that second part, by necessity it
has to be an application matter. You can replace a session with a new one
any time programmatically via redirect, but you can't combine them, which
is what "step-up" usually refers to.

>My secondary concern is only backward compatibility in the short term.
>Re-educating users that "require valid-user" is any user with InCommon
>may take some time to get everyone on board.

It only means that if you federate the SP (and of course if InCommon is
the actual metadata source). By default you shouldn't enable use of any
IdP on an SP but your own without a very conscious decision to do so that
would include every application on the system being aware of that profound
change. Taking anything that's internal to start with and federating it is
not a small decision.

If you need some apps to be federated and some not, that's what the
Application feature in the SP is for (you can have separate metadata per

-- Scott

More information about the users mailing list