-
In the SP registry, select which attributes your application needs from the IdP.
-
Select one of the myriad ways your application can receive attributes from the IdP. (One very valid option is to stop reading this document and learn how to do OpenID Connect in your programming language.)
-
If you still want to use a Shibboleth proxy, create an
attribute-map.xmlfile with the attributes configured in the SP registry.
Now on to the hairy stuff:
Shibboleth is designed to pass the user attributes retrieved from the IdP
by setting them in environment variables.
In traditional web server setups, the httpd server process launches a CGI script or uses
something like mod_php to run the application being served.
This does not transfer well into a containerised microservice architecture.
If httpd + mod_shib is acting as a reverse proxy, there isn't a straight-forward way for the application backend to know about httpd's environment variables.
Shibboleth supports transmitting user attributes in HTTP headers instead, but this alternative is vulnerable to spoofing attacks and is discouraged by Shibboleth documentation. Shibboleth does contain some heuristics to prevent header spoofing, but it is not fool proof and has had vulnerabilities in the past.
Don't use headers if you can avoid it.
But if you do,
don't use the ShibUseHeaders directive.
Read this page in the wiki.
Basically, you should configure your httpd to overwrite specific browser-supplied headers
with values from environment variables set by mod_shib.
First, read the university's documentation on implementing single sign-on to gain an accurate overview of the university's offerings and restrictions as well as your options.
Then either:
- Use a SAML or OpenID Connect library in your programming language of choice to implement your authentication directly in your application, or
- Talk to your backend using a protocol which supports passing environment variables with proxied requests. See below.
The Apache web server comes with various mod_proxy_* modules,
some of which implement a protocol which supports passing environment variables.
You may have some success passing user attributes using one of these.
The container image quay.io/tike/shibboleth-sp-httpd comes with these relevant modules:
- mod_proxy.so
- mod_proxy_ajp.so
- mod_proxy_fcgi.so
- mod_proxy_http.so
- mod_proxy_http2.so
- mod_proxy_scgi.so
- mod_proxy_uwsgi.so
- mod_proxy_wstunnel.so
The mod_proxy_ajp module (Apache JServ Protocol)
can be used to pass environment variables.
All environment variables prefixed AJP_ are passed to the backend,
with the prefix automatically removed.
Adding the AJP_ prefix to your variable names is left as an exercise to the reader.
mod_proxy_fcgi can pass environment variables.
The FastCGI protocol is widely implemented in various programming languages.
The Python ecosystem has a protocol called WSGI
which supports attaching environment variables to requests.
If you setup your Python backend to be served on a WSGI server such as gunicorn or uwsgi,
you can use the mod_proxy_uwsgi module
and something like the following httpd config snippet
to pass Shibboleth-authenticated traffic to your backend:
ProxyPass /securepath uwsgi://mybackend:myport/
Some links in no particular order: