Request for adding the SessionIndex of an AuthnStatement to the Environment Variables/Request Headers
Description
Environment
Activity
Scott Cantor December 17, 2010 at 2:39 PM
Closing after release.
Scott Cantor August 19, 2010 at 8:34 PM
Scott Cantor August 16, 2010 at 8:07 AM
We intend that people using Shibboleth with REST services use the session mechanism we provide.
What you're talking about is also confusing the local app session with the IdP session. They're orthogonal (and SAML doesn't even guarantee such a session at the IdP). And there is nothing out there that supports AuthnQuery that I'm aware of (certainly Shibboleth doesn't), so I don't think this is the right solution for your use case.
Thomas Linke August 16, 2010 at 4:48 AM
Image a shibbolized web application consists of a web interface and a couple of RESTful Web Services. The RESTful principles do not allow session handling. However, for some high value transactions the RESTful Web Service needs to check if the user has got a valid session. A solution would be to use an AuthnQuery including the SessionIndex.
Scott Cantor August 12, 2010 at 9:44 AM
I'm not aware of any use of AuthnQuery, or even any real world implementations of it for this kind of purpose.
(Not saying I can't add it, just very curious.)
If a shibbolized application has to perform an AuthnQuery to validate a current session, it requires the SessionIndex of the AuthnStatement. Currently, it is not possible to configure the Shibboleth SP in such a way that it provides the SessionIndex to a shibbolized application through Environment Variables/Request Headers.