It consists of 2 modules:
- a fastcgi responder (shibresp) that handles the HandlerURL
- a fastcgi authorizer that acts as a filter and does the usual (authN, export assertions and authZ). The only difference is that the attributes are exported as environment variables for the underlying application, this is a fastcgi limitation but I think this is not a problem.
Bellow is a sample lighttpd snip of the configuration needed to get this to work:
server.name = "your_server_name"
alias.url += (
"/shibboleth-sp/logo.jpg" => "/usr/local/shib-sp/doc/shibboleth/logo.jpg",
"/shibboleth-sp/main.css" => "/usr/local/shib-sp/doc/shibboleth/main.css"
)
server.document-root = "/servers/tags/www/"
fastcgi.server = (
"/Shibboleth.sso" => (("socket" => "/tmp/fcgi-resp.sock", "bin-path" => "/servers/lighty/shibresp", "check-local" => "disable", "mode" => "responder", "bin-environment" => ( "SHIB_CONFIG" => "/usr/local/shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/local/shib-sp/share/xml/shibboleth"))),
"/" => (("socket" => "/tmp/fcgi-auth.sock", "bin-path" => "/servers/lighty/shibauth", "check-local" => "disable", "mode" => "authorizer", "bin-environment" => ( "SHIB_CONFIG" => "/usr/local/shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/local/shib-sp/share/xml/shibboleth"))),
".php" => (( "socket" => "/tmp/fgci-php.sock", "broken-scriptfilename" => "enable", "mode" => "responder")),
".xml" => (( "socket" => "/tmp/fgci-php.sock", "broken-scriptfilename" => "enable", "mode" => "responder"))
)
|
I have a PHP application being served behind shibboleth. Note the env variables SHIB_SCHEMA and SHIB_CONFIG used to configure the fastcgi applications, this is mandatory.
Also, in the case of lighttpd, you need the patch for bug #322.
This opens up some interesting possibilities as it can be used with any web server that supports the fastcgi specification and can be run remotely. I haven't yet thought much about these issues but am open to suggestions. You need the fcgi library in order to compile this.