Thank you, RequestMap
I was getting into a tangle between mod_rewrite and Shibboleth, trying to get Shibboleth to filter access to a particular URL, which would then be rewritten to go through our standard login handler. Trying to fix the ordering so that the Shibboleth filter got to handle the URL before it was rewritten was perhaps impossible - and turns out to be unnecessary.

In the shibboleth2.xml you can specify which requests Shibboleth should intercept, down to the level of query strings. So in the RequestMap I can specify

<Host name="sp.machine">
	<Path name="/path/to/loginServlet">
		<Query name="action" regex="loginShibboleth"  authType="shibboleth" requireSession="true"/>
	</Path>
</Host>

and have Shibboleth leave all the existing requests to the login page alone, catching only those which ask for the new authentication mechanism. The documentation notes one caveat:

Query string matching can be difficult, because the client totally dictates the information, and case matters. It should be used only when the case of the parameter name is significant to the application consuming it, because then the client can bypass your rule, but not actually get the application to run.

which suits us fine - you're either invoking the Shibboleth login (for which you need the query parameter as specified), or you're not (in which case you meet our existing authentication code).

T

Labels: config, shibboleth

- posted by Tim Bruce @ 11:20 PM