difference between "ShibDisable On" and

Peter Schober peter.schober at univie.ac.at
Tue Feb 13 11:44:38 EST 2018


* Dr. Marco Lechner <mlechner at bfs.de> [2018-02-13 16:58]:
> what is the difference between
> <Location /foo>
>   AuthType shibboleth
>   ShibRequestSetting requireSession 0
>   Require shibboleth
> </Location>
> and
> <Location /foo>
>   AuthType shibboleth
>   ShibDisable On
>   Require shibboleth
> </Location>

I think the latter is better written as

<Location /foo>
  ShibDisable On
</Location>

which might illustrate the difference better.

With authtype and the dummy require directive set you'd normally want
to be able to have access to attributes/session data if already
available, but not force creation of a session if none exists.

The former achives that and this example would be meaningful mostly if
<Location /> had active protection, i.e., you wanted to exclude /foo
from the more general requirement.

Since the latter makes Shib return immediately I don't think you'd get
available attributes with ShibDisable on.

> Are both examples correct (can be used within a location-directive)?

Only the rewritten version of the latter makes sense to me, but YMMV.

> Which one ist faster if /foo just delivers lots of static resrouces
> (images)?

If you don't care about session data in /foo then the latter is faster.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

-peter


More information about the users mailing list