search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

NGINX not passing Shibboleth session variables in header #27

Closed NchemIcaLS closed 6 years ago

NchemIcaLS commented 6 years ago

Description of Issue/Question

I want to use this plugin(Shibboleth) for Wordpress. I have compiled NGINX using this module and it connects to the Shibboleth provider. I am able to generate a session, login and logout. The problem is that the plugin is not able to take the session variables and create an account. Instead when I attempt to login it always loops back to the shibboleth authentication.

I think the problem is that NGINX does not pass the Shibboleth session variables in the header. The reason I believe this is when I var_dump $_SERVER in php it does not contain any Shibboleth data. Does anyone have any tips on how I could do this or debug this further? I am happy to post any config files or logs if needed.

Any help is greatly appreciated.

Setup

Shibboleth Session

Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 217.162.50.39
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: (Removed)
Authentication Time: 2017-09-08T07:17:29.717Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
givenName: 1 value(s)
homeOrganization: 1 value(s)
mail: 1 value(s)
persistent-id: 1 value(s)
studyBranch3: 1 value(s)
surname: 1 value(s)

NGINX Shibboleth Conf

# FastCGI authorizer for Shibboleth Auth Request module
location = /shibauthorizer {
        internal;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
}

# FastCGI responder
location /Shibboleth.sso {
        include fastcgi_params;
        fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
}

# Resources for the Shibboleth error pages. This can be customised.
location /shibboleth-sp {
        alias /usr/share/shibboleth/;
}

# Using the ``shib_request_set`` directive, we can introduce attributes as
# environment variables for the backend application. In this example, we
# set ``fastcgi_param`` but this could be any type of Nginx backend that
# supports parameters (by using the appropriate *_param option)
#
# The ``shib_fastcgi_params`` is an optional set of default parameters,
# available in the ``includes/`` directory in this repository.
#
# Choose this type of configuration unless your backend application
# doesn't support server parameters or specifically requires headers.
location /secure {
       shib_request /shibauthorizer;
       include snippets/shib_fastcgi_params;

       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

# A secured location. All incoming requests query the Shibboleth FastCGI authorizer.
# Watch out for performance issues and spoofing!
#
# Choose this type of configuration for ``proxy_pass`` applications
# or backends that don't support server parameters.
#location /secure {
        #shib_request /shibauthorizer;
        #shib_request_use_headers on;

        # Attributes from Shibboleth are introduced as headers by the FastCGI
        # authorizer so we must prevent spoofing. The
        # ``shib_clear_headers`` is a set of default header directives,
        # available in the `includes/` directory in this repository.
        #include snippets/shib_clear_headers;
        #more_clear_input_headers 'affiliation' 'givenName' 'mail' 'persistent-id' 'homeOrganization';

        # This backend application will receive Shibboleth variables as request
        # headers (from Shibboleth's FastCGI authorizer)
        #proxy_pass http://localhost:443;
#}

NGINX Shib FastCGI Params

# vim: set filetype=conf :

# Replace `fastcgi_param` with `sgci_param`, `uwsgi_param` or similar
# directive for use with different upstreams. Consult the relevant upstream
# documentation for more information on environment parameters.
#
# Auth-Type is configured as authType in
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings.
# Other default SP variables are as per
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-CustomSPVariables

shib_request_set $shib_auth_type $upstream_http_variable_auth_type;
fastcgi_param Auth-Type $shib_auth_type;

shib_request_set $shib_shib_application_id $upstream_http_variable_shib_application_id;
fastcgi_param Shib-Application-ID $shib_shib_application_id;

shib_request_set $shib_shib_authentication_instant $upstream_http_variable_shib_authentication_instant;
fastcgi_param Shib-Authentication-Instant $shib_shib_authentication_instant;

shib_request_set $shib_shib_authentication_method $upstream_http_variable_shib_authentication_method;
fastcgi_param Shib-Authentication-Method $shib_shib_authentication_method;

shib_request_set $shib_shib_authncontext_class $upstream_http_variable_shib_authncontext_class;
fastcgi_param Shib-AuthnContext-Class $shib_shib_authncontext_class;

shib_request_set $shib_shib_authncontext_decl $upstream_http_variable_shib_authncontext_decl;
fastcgi_param Shib-AuthnContext-Decl $shib_shib_authncontext_decl;

shib_request_set $shib_shib_identity_provider $upstream_http_variable_shib_identity_provider;
fastcgi_param Shib-Identity-Provider $shib_shib_identity_provider;

shib_request_set $shib_shib_session_id $upstream_http_variable_shib_session_id;
fastcgi_param Shib-Session-ID $shib_shib_session_id;

shib_request_set $shib_shib_session_index $upstream_http_variable_shib_session_index;
fastcgi_param Shib-Session-Index $shib_shib_session_index;

shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
fastcgi_param Remote-User $shib_remote_user;

# Uncomment any of the following core attributes. Consult your Shibboleth
# Service Provider (SP) attribute-map.xml file for details about attribute
# IDs.  Add additional directives for any Shibboleth attributes released to
# your SP.

shib_request_set $shib_affiliation $upstream_http_variable_affiliation;
fastcgi_param affiliation $shib_affiliation;

shib_request_set $shib_givenName $upstream_http_variable_givenName;
fastcgi_param givenName $shib_givenName;

shib_request_set $shib_homeOrganization $upstream_http_variable_homeOrganization;
fastcgi_param homeOrganization $shib_homeOrganization;

shib_request_set $shib_mail $upstream_http_variable_mail;
fastcgi_param mail $shib_mail;

shib_request_set $shib_persistent_id $upstream_http_variable_persistent_id;
fastcgi_param persistent-id $shib_persistent_id;

shib_request_set $shib_studyBranch3 $upstream_http_variable_studyBranch3;
fastcgi_param studyBranch3 $shib_studyBranch3;

shib_request_set $shib_surname $upstream_http_variable_surname;
fastcgi_param surname $shib_surname;

Versions and Systems

nginx/1.10.3 shibboleth 2.6.0

X-Post