Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

shibboleth: use proxy-supplied request header #2443

Merged

Conversation

jrchamp
Copy link
Contributor

@jrchamp jrchamp commented Jun 24, 2024

Mojolicious does not have access to the environment variables supplied by the httpd module which connects to the Shibboleth service provider. Instead, using httpd as a reverse proxy allows for us to provide the user_id via a request header. For security, we forcibly unset any pre-existing request header with the name we plan to use and then only set the request header when it is available from the original httpd environment variable.

<Location "/">
        # Shibboleth lazy-loading sessions.
        AuthType shibboleth
        ShibRequestSetting requireSession 0
        require shibboleth

        RequestHeader unset eppn
        RequestHeader set eppn %{eppn}e env=eppn
</Location>

If you have any questions, concerns or suggestions, please let me know.

Fixes #2286

Copy link
Member

@drgrice1 drgrice1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. I have no way to test this, but I will trust that it works for you. It can't be any worse than the current state of affairs!

Copy link
Member

@pstaabp pstaabp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't test it, but I'll approve it.

@jrchamp
Copy link
Contributor Author

jrchamp commented Jun 25, 2024

@xcompass @juu7nitw23 In case you have time to test this update for the Shibboleth authen in the Mojolicious versions of WeBWorK.

@juu7nitw23
Copy link

Thanks. I will try to see if I can test it next week

@drgrice1
Copy link
Member

We are just going to merge this. If further changes are made, a new pull request can be made.

@drgrice1 drgrice1 merged commit 54efd73 into openwebwork:WeBWorK-2.19 Jun 25, 2024
2 checks passed
@jrchamp jrchamp deleted the feature/shibboleth-proxy-header branch June 25, 2024 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants