The Lambda receives a url for the Shib Handler with the request headers. It can use this to return an html response that includes a login redirect for restricted media requests that have no existing login session.
Another option might be to offload the login redirect to a custom apache error page, if apache has enough information in the request to generate the login redirect itself. In this scenario, the Lambda might return a 401 Unauthorized status code, which is arguable more correct because it specifically means a request for restricted content that came with no authorization session information. Then apache might be configured to respond to 401 errors with a custom page that included the login redirect.
The Lambda receives a url for the Shib Handler with the request headers. It can use this to return an html response that includes a login redirect for restricted media requests that have no existing login session.
Another option might be to offload the login redirect to a custom apache error page, if apache has enough information in the request to generate the login redirect itself. In this scenario, the Lambda might return a 401 Unauthorized status code, which is arguable more correct because it specifically means a request for restricted content that came with no authorization session information. Then apache might be configured to respond to 401 errors with a custom page that included the login redirect.