[shib_auth] Shibboleth Protection Path
Kristof Bajnok
bajnokk at niif.hu
Fri Apr 6 14:27:56 CEST 2012
On 06/04/12 14:10, Kristof Bajnok wrote:
> On 06/04/12 01:34, Nate Klingenstein wrote:
>> Would it be possible instead to protect only the /shib_login/ path to
>> eliminate the need for Shibboleth to intercept all queries to the Drupal
>> environment? This is, of course, with the option "/Destroy Drupal
>> session when the Shibboleth session expires/" disabled.
>
> If the role assignment is based on attributes which are set by the SP,
> then it also demands the entire Drupal path to be protected. (Sticky
> roles aside.)
Correcting myself: role assignment is only run if the Identity Provider
field is set, what means that the request is directed through the Shib
SP ("require shibboleth") .
>> I think this could somewhat improve the performance of the implementation.
>
> If you did measurements regarding the Shibboleth SP overhead, then your
> data would be very interesting to me.
And also shib_auth consumes some CPU cycles when it detects the
Shibboleth headers.
Kristof
More information about the shib_auth
mailing list