Shib-Authentication-Instant via mod_proxy_ajp

Klingenstein, Nate nklingenstein at calstate.edu
Wed Aug 17 06:51:31 EDT 2016


Robert,

You can forcibly stick prefixes on accepted attributes in a variety of ways.  I don't know whether all of them give you control over the ones wired into the SP itself.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall

If you're willing to go with mod_jk:

All variables whose name does not begin with "JK" are set directly by Apache httpd. If you want to change the data, but do not want to negatively influence the behaviour of other modules, you can change the names of all variables mod_jk uses to private ones. For the details see the Apache reference page.

https://tomcat.apache.org/connectors-doc/reference/apache.html

Try JkEnvVar; there's probably something similar implemented for mod_proxy_ajp.

Hope this helps,
Nate.

> On Aug 17, 2016, at 2:59 AM, Robert Lowe <robertmlowe at rmlowe.com> wrote:
> 
> I have a Tomcat application that needs to make use of Shib-Authentication-Instant. I am using mod_proxy_ajp.
> 
> Unfortunately mod_proxy_ajp only forwards environment variable that start with AJP_
> 
> For SAML attributes that's not a problem as I can obviously choose the local name in attribute-map.xml.
> 
> But as far as I know there's no way to do that with Shib-Authentication-Instant.
> 
> So I'm curious whether anyone else has solved this problem?
> 
> 	• Is there a way to rename Shib-Authentication-Instant within the SP?
> 	• If not, any other trick to get it forwarded by mod_proxy_ajp? For example, some way to rename the environment variable within Apache?
> 
> -- 
> Best regards,
> 
> Robert Lowe
> http://crepuscular.rmlowe.com/
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



More information about the users mailing list