[shib_auth] Authorization

[Laas Toom]

Hello,

I’m in the process of protecting a Drupal app with Shibboleth and the shib_auth module.

Our requirement is that the application must remain publicly visible to the world, but logged in users get write access. The problem is that not all Shibboleth users must get access and I can’t really figure out how to apply authorization when Shibboleth is configured to use lazy sessions and shib_auth automatically grants ‘logged in user’ role to all users.

I know I can map Shibboleth attributes to roles, but that doesn’t override the automatic login.


Is there a reason, why the shib_auth is set up so that lazy sessions are required? Wouldn’t it be better to make it more like password authentication where a single point of entry is protected, where the user session is created, not on every request.

--
Laas Toom