Getting access to Shib Attributes after initial authentication

Cantor, Scott cantor.2 at
Sun Aug 23 19:56:28 EDT 2015

On 8/23/15, 7:38 PM, "users on behalf of Guy Tadi" <users-bounces at on behalf of tadiguy812 at> wrote:

>Back on this subject again - I thought I had found an acceptable solution but it is turning out to be a performance bottleneck as I scale my system because all web service requests go through Shib.

The SP is not going to appreciably slow anything down unless the FCGI support is just very badly implemented, or if you're talking about Google scale.

>To recap my problem: I'm using Lighttpd with shibauthorizer/responder.

If that's "worse" for performance, then maybe just use Apache? I don't know what the issue is, but you can't really operate outside the web server to deliver functionality that clearly belongs inside it without suffering performance penalties.

>I suppose it's because in Lighttpd one has to specifically set fastcgi authrorizer path to /authenticate which seems to be the only way for Shib to intercept the sesssion and based on RequestMapper requireSession attribute do a redirect to IdP.

AFAIK, you have to apply the authorizer to any protected path, period. That's the only way the SP is involved in the request flow.

> Simply adding authType="shibboleth" to Host section of Requestmapper as above doesn't make the attribute appear in /service or even in "/" because Shib knows nothing about that path.

The settings in the map determine what the SP does, but they have nothing to do with getting the SP to see the request in the first place. Not on Apache, not here. IIS is an exception because the filter sees every request to a site it's configured on.

-- Scott

More information about the users mailing list