[shib_auth] Drupal Shibboleth Module -- General Question

[Kristof Bajnok]

On 25/05/12 21:06, Paul Bramscher wrote:
> Thanks for your responses.  We probably can't process Shib sessions
> without SSL (I believe our Shib IDP will refuse), and this would
> probably be a very bad idea in a large environment like ours --
> potential for plain-text packet sniffing, spoofing, etc.

Yes, you can not initiate a session without SSL unless the metadata is
prepared for non-encrypted endpoints, which is a bad idea, agreed.

However, when you allow plain http access to your Drupal, then the
session cookie will still go unencrypted, what opens up (almost) the
same security questions.

> I'm a long-time PHP programmer (12 years), but not a Drupal programmer. 
> The approach I took in another application was to build my own session
> management system, and bootstrap the "login" page additionally with
> Shibboleth session processing.  

I believe this is what shib_auth is doing when you don't force session
expiry.

> The entire directory is enforced as
> Shib-protected at the htaccess level, and the application's login
> page/functionality will generate an application-specific session.  The
> other pages check only for that application session.  Not without its
> own issues, but it seems to have worked out okay in that context.

Yes, actually only two things will not work at the moment:
 - dynamic role provisioning (static rules will!)
 - single logout

If you don't need either of them, you can use it without moving your
entire site under https / shibboleth protection.

I will work on an implementation which will make even this two
restrictions go away, but it is definitely not trivial.

Kristof

PS: please use the mailing list for replies, not my private address.