Shibboleth SP Apache module sharing attributes with another apache module

cneberg cneberg at
Tue Mar 20 20:21:48 EDT 2018

>> but then it might be possible to just go at the SP module's internals directly.

True, but I worried about about future compatibility since its not a
frozen interface.

Another issue with using headers is we don't know for sure the
complete list which were actually populated by shib.  So we have to
clear the ones we think shib might use by reading the
attribute-mapping file before shib runs, read any values we find to do
our custom authorization logic then clear all of the items again at
the end so they don't get passed down.   Plus shib populates several
headers which aren't listed in the attribute mapping file so we are
having to clear those as well.   That problem would alleviated if
there was a trusted header which listed which headers could be

On Tue, Mar 20, 2018 at 6:54 PM, Cantor, Scott <cantor.2 at> wrote:
>> Could you populate them in request_rec->notes using a normal apache
>> type table - so we can get at them from our module?
> I guess if it's a custom module that might work, but then it might be possible to just go at the SP module's internals directly, otherwise you're basically waiting an indefinite period for this to be done.
> Also, there was a reason that it was done this way that had some obsecure impact on things. Given that it would be off by default I wouldn't care that much I suppose but I suspect it might end up not working in some cases.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list