Getting access to Shib Attributes after initial authentication

Guy Tadi tadiguy812 at
Sun Aug 23 19:38:51 EDT 2015

Back on this subject again - I thought I had found an acceptable solution
but it is turning out to be a performance bottleneck as I scale my system
because all web service requests go through Shib.
To recap my problem: I'm using Lighttpd with shibauthorizer/responder.
Users authenticate by browsing to https://hostname/autheticate which works
fine. I need to access shib attributes from https//hostname/service. The
Requesmapper below doesn't work for me in Lighttpd.

<RequestMapper type="Native">
    <RequestMap applicationId="default" exportStdVars="true">

        <Host name="hostname" authType="shibboleth>

            <Path name="authenticate" authType="shibboleth"
requireSession="true" exportAssertion="true"/>


I suppose it's because in Lighttpd one has to specifically set fastcgi
authrorizer path to /authenticate which seems to be the only way for Shib
to intercept the sesssion and based on RequestMapper requireSession
attribute do a redirect to IdP. Simply adding authType="shibboleth" to Host
section of Requestmapper as above doesn't make the attribute appear in
/service or even in "/" because Shib knows nothing about that path. Is my
understanding correct and there is no practical way to export assertions to
a path that Shibauthorizer knows nothing about (via shibauthorizer fcgi) or
my understanding is wrong and there is a way around this.

On Fri, Apr 17, 2015 at 5:45 PM, Guy Tadi <tadiguy812 at> wrote:

> Thanks. That was helpful. I had tried that earlier and it didn't work, but
> after your response above I decided to try it again. Of course it still
> didn't work, but then it struck me there might be something else wrong and
> indeed it was my webserver config. All is well now. Thanks a million.
> On Fri, Apr 17, 2015 at 4:58 PM, Cantor, Scott <cantor.2 at> wrote:
>> > I'm still unclear about this. If I change my RequestMapper to
>> > <Path  authType="shibboleth" /> I get a configuration error.
>> I didn't say to do that, and that isn't valid, Paths require names. If
>> you want to attach settings to a Host, you put it in the Host element.
>> > I thought requireSession="true" is needed to trigger SP and get
>> assertion
>> > from IdP.
>> If you want to trigger a session for /secure, then do that. You asked how
>> to get the data visible for other content, and the answer is to attach the
>> authType setting to *that* content. With or without requireSession being
>> set, any existing session will be processed and exported for that request.
>> > Using my current configuration below can you please clarify a bit which
>> > values to use for each attribute and which ones, if any, I should remove
>> > completely?
>> Add authType to the Host. If that doesn't work, then I'm not remembering
>> the code well enough and would have to go do some checking.
>> -- Scott
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list