Area: Lazy session

This page demonstrates the usage of Shibboleth lazy sessions. Quoting the 'Shibboleth Technical Introduction':

"Shibboleth also supports so-called lazy session establishment, in which the resource may be accessed without prior authentication. This means the application must be intelligent enough to determine whether authentication is necessary, and then construct the proper URL to initiate a browser redirect to request authentication; if the application determines none is necessary or uses other authorization mechanisms, then the request for authentication may not need to be triggered. This complex functionality is mostly useful to protect a single URL with different access mechanisms, or to require authenticated access only in instances where the application deems it necessary."

Shibboleth Service Provider, current <RequestMap />:


Lazy session status

The effect of lazy sessions is that the Shibboleth attributes are available only when the application forces a user login. In this case, the authentication is not enforced like for the protected demo page.

You are NOT Shibboleth authenticated
Authenticate yourself and see what changes. You will be redirected directly to the Shibboleth Session initiator URL and this will trigger a new Shibboleth session.

To establish and enable the Shibboleth session, you only have to define a link pointing to the Shibboleth Session initiator URL with the current URL as target parameter.

Login URL using default IdP: /Shibboleth.sso/Login?target=
Login URL using Discovery Service: /Shibboleth.sso/DS?target=

To invalidate the Shibboleth session, you have to call the Logout URL which will delete the Shibboleth session cookies.

Logout URL: /Shibboleth.sso/Logout?return=/lazy/

Information provided by this Service Provider

Status Metadata Session Shibboleth environment Current config Clear


Live Shibboleth SP daemon log

Back to AAI demo main page