search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Trouble getting upstream_http_variable_* #52

Closed MolbioUnige closed 1 year ago

MolbioUnige commented 1 year ago

Hi, I am quite new in this field, so I'm not sure where the problem is, here, nginx or shibboleth.

In the example you give, what is the expected behaviour when one reaches the /secure location without being authenticated? Should it get redirected to the authentication page? This is not what I get.

Once authenticated, I don't seem to have any values in any $upstream_httpvariable that correspond to the attributes I should have, is that the expected behaviour?

I've created a secure location as such:

  1     location = /shibauthorizer {
  2         internal;
  3         include fastcgi_params;
  4         fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
  5     }
  6
  7     location /Shibboleth.sso {
  8         include fastcgi_params;
  9         fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
 10     }
 11
 12     location  /secure {
 13         shib_request /shibauthorizer;
 14         include shib_fastcgi_params;
 15         shib_request_set $shib_givenname 'damned';
 16         shib_request_set $shib_email $upstream_http_variable_mail;
 17         include fastcgi_params;
 18         fastcgi_param GIVEN_NAME $shib_givenname;
 19         fastcgi_param EMAIL $shib_email;
 20         fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
 21         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
 22         fastcgi_index index.php;
 23     }

On line 16, I'm trying to get the mail value of the identity, but the variable is empty, line 2 here below.

To check if shib_request_set is working, on line 15, I give it a value and it gets passed as FastCGI_param to php, line 3 here below.

Here below the relevant part dumped by php_info()

 1         $_SERVER['SCRIPT_FILENAME'] | /var/www/html/secure/index.php
 2         $_SERVER['EMAIL'] | no value
 3         $_SERVER['GIVEN_NAME'] | damned
 4         $_SERVER['REDIRECT_STATUS'] | 200

Here below is the output of /Shibbolet.sso/Session

Miscellaneous
Session Expiration (barring inactivity): 472 minute(s)
Client Address: 10.194.56.230
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://test.eduid.ch/idp/shibboleth
Authentication Time: 2022-09-14T12:59:17.712Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
Meta-displayName: SWITCH edu-ID [Test]
Meta-homeOrganization: test.eduid.ch
Meta-homeOrganizationType: others
Meta-informationURL: https://projects.switch.ch/eduid/
Meta-largeLogo: 
Meta-organizationURL: http://www.test.eduid.ch/
Meta-smallLogo: 
affiliation: affiliate
eduPersonUniqueId: 0000293610470932@test.eduid.ch
givenName: Justin
homeOrganization: test.eduid.ch
mail: my.email@unige.ch
persistent-id: https://test.eduid.ch/idp/shibboleth!https://my.test.domain/shibboleth!CS5TCRFMX2NJIUDALJEGS2EUHVFQEH4M
surname: Pticou
uniqueID: 0000293610470932@test.eduid.ch

Any help would be appreciated.

MolbioUnige commented 1 year ago

It didn't occurred to me to check closed issues. I can see that some of the closed issues might answer my questions.