The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

FastCGI SP Application

Owned by Former user (Deleted)
Last updated: Feb 02, 2007Version comment
1 min read

FastCGI SP Application

It consists of 2 modules:

- a fastcgi responder (shibresp) that handles the HandlerURL
- a fastcgi authorizer that acts as a filter and does the usual (authN, export assertions and authZ). The only difference is that the attributes are exported as environment variables for the underlying application, this is a fastcgi limitation but I think this is not a problem.

Bellow is a sample lighttpd snip of the configuration needed to get this to work:

server.name = "your_server_name"

alias.url += (
                  "/shibboleth-sp/logo.jpg" => "/usr/local/shib-sp/doc/shibboleth/logo.jpg",
                  "/shibboleth-sp/main.css" => "/usr/local/shib-sp/doc/shibboleth/main.css"
                  )
server.document-root = "/servers/tags/www/"

fastcgi.server  = (
      "/Shibboleth.sso" => (("socket" => "/tmp/fcgi-resp.sock", "bin-path" => "/servers/lighty/shibresp", "check-local" => "disable", "mode" => "responder", "bin-environment" => ( "SHIB_CONFIG" => "/usr/local/shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/local/shib-sp/share/xml/shibboleth"))),
      "/"   => (("socket" => "/tmp/fcgi-auth.sock", "bin-path" => "/servers/lighty/shibauth", "check-local" => "disable", "mode" => "authorizer", "bin-environment" => ( "SHIB_CONFIG" => "/usr/local/shib-sp/etc/shibboleth/shibboleth.xml", "SHIB_SCHEMA" => "/usr/local/shib-sp/share/xml/shibboleth"))),
      ".php" => (( "socket" => "/tmp/fgci-php.sock", "broken-scriptfilename" => "enable", "mode" => "responder")),
      ".xml" => (( "socket" => "/tmp/fgci-php.sock", "broken-scriptfilename" => "enable", "mode" => "responder"))
)

I have a PHP application being served behind shibboleth. Note the env variables SHIB_SCHEMA and SHIB_CONFIG used to configure the fastcgi applications, this is mandatory.

Also, in the case of lighttpd, you need the patch for bug #322.

This opens up some interesting possibilities as it can be used with any web server that supports the fastcgi specification and can be run remotely. I haven't yet thought much about these issues but am open to suggestions. You need the fcgi library in order to compile this.