Use HTTP verb in Service Provider request mapper

Fabien BERTEAU fabien.berteau at
Thu Oct 21 06:48:56 UTC 2021

Our micro-services are behind a NGINX based API gateway (Kong) and called
by a SPA (until this, it's legacy) that would use a classic SP initiated
flow, if this design is right.
I want to try to plug the Shibboleth SP on Kong and use the XML based
request mapper to centralize on Kong/SP all host/verb/path/query access
But I would miss the HTTP verb access control feature.


Fabien Berteau | Security Architect


fabien.berteau at <aurelien.lajoie at>

Le mer. 20 oct. 2021 à 18:05, Cantor, Scott <cantor.2 at> a écrit :

> I don't see any viable way this makes any sense unless you expect your web
> service clients to use ECP, and that's a non-starter, but the answer is
> that Apache can limit rules based on verbs.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list