Hi, here is a definition of what Shibboleth means by "Lazy Session":
https://wiki.shibboleth.net/confluence/display/SHIB/LazySession (note, link is to the older Shib 1.3 documentation, I can't find the corresponding page in the 2.x documentation). In a nutshell, a Lazy Session configuration of Shibboleth allows attributes from an already-established session to be passed to your application, but does not actually require such an existing session. A Lazy Session Login URL would be where you would need to send a user should the session need to be recreated or refreshed for some reason. In your Apache config file, here's how you'd configure a lazy session: # turn on Shibboleth "Lazy Session" <Location /> AuthType shibboleth ShibRequireSession Off require shibboleth </Location> If you instead pass a value of ShibRequireSession On or ShibRequireSession True, you would force all visitors to login when they encounter any URL to your site. So, in a Lazy Session environment, you still need a way for your application to create new sessions and/or refresh existing ones. If you are using Shibboleth authentication at your institution, I recommend utilizing Lazy Sessions, as it's how you deliver on the promise of a "single sign on," otherwise you're asking people to log in "yet again," using the same credentials they use elsewhere. -- HARDY POTTINGER <pottinge...@umsystem.edu> University of Missouri Library Systems http://lso.umsystem.edu/~pottingerhj/ https://MOspace.umsystem.edu/ "Every last one of us can do better than give up."-- Sugar On 6/10/13 1:47 PM, "Kevin P. Foote" <kpfo...@iup.edu> wrote: > >On Mon, 10 Jun 2013, Mark H. Wood wrote: > >> So, from the DSpace installer's POV, the doco. should answer the >> question: how do I generate the proper value for this variable? That >> does seem to take some reading between the lines. The DSpace source >> doesn't really help much here. You have to look at the way that >> Shibboleth is plumbed into your web server. >> >> There seems to be an assumption that Apache HTTPD is used. My best > >You will most certainly be using Apache as a front to tomcat/jetty if >you are using or relying on the Shibboleth SP. > >> guess is that the value for lazysession.loginurl can be calculated by >> finding something in the HTTPD configuration that looks like: >> >> <Location /Shibboleth.sso> >> SetHandler shib >> </Location> >> >> taking the argument to <Location> and appending "/Login". >> >> Can someone confirm that this is How To Do It? or supply the correct >> procedure? I'd be happy to fix the DSpace documentation once I am >> confident that I know what it should say. > >I've always assumed (yea-yea) that if your running Shib for your login >you have some local resources to fall back on, local or back to the shib >community. > >The concept of 'lazy login' comes into play if you have a website that in >general does NOT need to be user/pass protected -- ie: searchable by the >world etc. But, has some areas that need to have authn/z to function. > >So we are left with a protection example that looks like this in apache >config.. > ><!-- --> ><!-- Lazily protect the entire dspace site --> ><!-- --> ><Location /> > AuthType Shibboleth > ShibRequestSetting requireSession 0 > Require shibboleth ></Location> > >Your entry in to the dspace config would be that of the SP login >initiator.. which by default is http(s)://<site>/Shibboleth.sso/Login > >This tells the shib-sp to kick off a login event which, directs to IdP >or discovery page.. > >So, I'm purely guessing here that, in dspace 3 you are calling the >initiator directly, hence the config entry, to get the login started >rather than relying on an Apache <Location> block specific to where the >shibboleth login code will be waiting. > > >--- > >Contrast the older model.. >In 1.7 era (which I'm still using) you protect a Dspace location >"/shibboleth-login" which gets the login rolling and is able to parse >out the return data from the headers. > >example of 1.7 ish > ><Location /shibboleth-login> > AuthType shibboleth > ShibRequestSetting requireSession 1 > ShibUseHeaders On > Require affiliation "member" ></Location> > > >------ >thanks > kevin.foote > >-------------------------------------------------------------------------- >---- >This SF.net email is sponsored by Windows: > >Build for Windows Store. > >http://p.sf.net/sfu/windows-dev2dev >_______________________________________________ >DSpace-tech mailing list >DSpace-tech@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/dspace-tech >List Etiquette: >https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
