Shibboleth Shim Filter

The ShibShimFilter jar provides authentication service to applications running in a servlet container by using an intermediate "shim" server between the application and the Shibboleth authentication system. See for more information about Shibboleth.

If the filter decides that a request to the application requires a Shibboleth session, it redirects the browser to the Shibboleth Shim server.

Once the login has been completed, the Shibboleth Shim server issues a POST redirect back to the local Assertion Consumer Service path. This POST request contains the attribute assertion and a digital signature. The filter parses the attributes, verifies the signature, and stores them in an object in the context's session.

The browser is then redirected to the original, desired URL.

For this and subsequent requests, the filter delivers Shibboleth attributes as HTTP headers, and optionally as the remote user.

The following is a UML sequence diagram outlining the process of logging in using the Shibboleth Shim.