This page demonstrates the usage of Shibboleth lazy sessions. Quoting the 'Shibboleth Technical Introduction':
"Shibboleth also supports so-called lazy session establishment, in which the resource may be accessed without prior authentication. This means the application must be intelligent enough to determine whether authentication is necessary, and then construct the proper URL to initiate a browser redirect to request authentication; if the application determines none is necessary or uses other authorization mechanisms, then the request for authentication may not need to be triggered. This complex functionality is mostly useful to protect a single URL with different access mechanisms, or to require authenticated access only in instances where the application deems it necessary."
Shibboleth Service Provider, current <RequestMap />
:
<Path name="lazy" authType="shibboleth" requireSession="false"/>
The effect of lazy sessions is that the Shibboleth attributes are available only when the application forces a user login. In this case, the authentication is not enforced like for the protected demo page.
To establish and enable the Shibboleth session, you only have to define a link pointing to the Shibboleth Session initiator URL with the current URL as target parameter.
Login URL using default IdP:/Shibboleth.sso/Login?target=https://aai-demo.switch.ch/lazy/
Login URL using Discovery Service:/Shibboleth.sso/DS?target=https://aai-demo.switch.ch/lazy/
To invalidate the Shibboleth session, you have to call the Logout URL which will delete the Shibboleth session cookies.
Logout URL: /Shibboleth.sso/Logout?return=/lazy/
Attributes | Values |
Shib-Handler | https://aai-demo.switch.ch/Shibboleth.sso |
Status Metadata Session Shibboleth environment Current config Clear