/secure¶

We have a generic directory for protected resources, it is called /secure. If you do not supply any path the shib_test.pl will be run. In our case it is served by apache (but the protection is in nginx)

apache conf

  RewriteRule ^/secure$ /secure/ [R,NE,L]
  <Location /secure>
    Options +ExecCGI
    AddHandler cgi-script .pl
    DirectoryIndex shib_test.pl
    AddHandler cgi-script .py
  </Location>

The shib_test.pl script basically goes through the headers/env and checks whether you have the required ones.
The script allows some customization (if your shibboleth exports under different names) http://clarin.eu/content/testing-which-attributes-identity-provider-releases.
The script might "wrongly" report missing attributes in certain setups https://trac.clarin.eu/ticket/743