ApplicationOverride and sessionHook

Jeff Hall jefhall at
Tue Nov 25 13:08:04 EST 2014


I'm curious about the behavior of the sessionHook attribute within
element. It doesn't appear to override "properly" when used within an
application override ...

Our situation: we have three sites all (roughly) using the same SP and IdP.
Two of the sites need to invoke a sessionHook as part of a
provisioning/account validation process, but one of them should not.
Originally, we tried to accomplish this by setting the sessionHook at the
applicationDefaults element level and "blanking out" the session hook on a
applicationOverride element. Apache uses ShibRequestSetting applicationId
xxx to invoke the desired "application" ... but all three sites would use
the sessionHook without respect to the override.

In a different attempt, we removed the sessionHook directive from
applicationDefaults and tried to specify it in two different
applicationOverrides, leaving it unspecified in the third.  This also
didn't function as intended ... none of the sites would invoke sessionHook.

I've tried to follow the source code to understand how and in what order
the SP builds its config, but I figured a quick message to the list would
be a better start.

We're running SP 2.5.3 in Apache. Any thoughts? Can I provide more/better

Thank you!

*Jeff Stice-Hall, CISSP, CSSLP, CSM*
Identity/Access Management Specialist
Lexmark International
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list