Aw: RE: idp - x509 auth behind nginx

Ilya Rumyantsev iliggio at gmx.de
Fri Nov 16 08:05:55 EST 2018 

Hi Stephen, thank you for the help, it is the solution for me. I just don't understand one thing:
For now I am extracting the dn in my `attribute-resolver.xml` in the way that I can use it in the ldap connector:


  <AttributeDefinition
      id="dnFromCert"
      xsi:type="ScriptedAttribute">
    <Script><![CDATA[
    try {
        pubCreds = subjects[0].getPrincipals().toArray();
	for (var i=0; i<pubCreds.length; i++){
	if (pubCreds[i].toString().startsWith("CN=")){
	       dnFromCert.addValue(pubCreds[i].toString());
	       }
	break;
	}
	}
    catch(err){
    dnFromCert.addValue("xyz");
    }
    ]]></Script>
  </AttributeDefinition>

Assuming I will pass the DN in the HTTP Header, will it then be available as variable in `attribute_resolver`?

Thanks a lot,
Ilya


> Gesendet: Freitag, 16. November 2018 um 11:54 Uhr
> Von: "Losen, Stephen C (scl)" <scl at virginia.edu>
> An: "Shib Users" <users at shibboleth.net>
> Betreff: RE: idp - x509 auth behind nginx
>
> Hi Ilya,
> 
> I suggest that you use authn/RemoteUser on the IDP and have nginx extract the username from the client cert and pass it to the IDP in a HTTP header.  I'm not familiar with nginx, but if it works anything like Apache httpd, then client cert data is loaded into variables, which the web server can filter and pass in HTTP headers to the IDP.  Or if your proxy uses AJP then you may be able to pass the username in the REMOTE_USER variable (not sure how).
> 
> Refer to the IDP wiki for authn/RemoteUser documentation.
>   
> https://wiki.shibboleth.net/confluence/display/IDP30/RemoteUserAuthnConfiguration
> 
> When you enable authn/RemoteUser, the IDP redirects the browser to /idp/Authn/RemoteUser and expects the subsequent browser request to provide the username.
> 
> You configure nginx to require a client cert at the location /idp/Authn/RemoteUser and pass the username (taken from the client cert) to the IDP via the proxy.  Configure authn/RemoteUser on the IDP to fetch the username from REMOTE_USER or else from a HTTP header of your invention, such as "X-Remote-User".
> 
> Beware that HTTP headers are trivial to forge and that the IDP will blindly trust your header.  So ensure that all access to /idp/Authn/RemoteUser goes through nginx and that nginx removes any forged headers from the incoming browser request.
> 
> Stephen C. Losen
> ITS - Systems and Storage
> University of Virginia
> scl at virginia.edu    434-924-0640
> 
> 
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Ilya Rumyantsev
> Sent: Friday, November 16, 2018 4:51 AM
> To: users at shibboleth.net
> Subject: idp - x509 auth behind nginx
> 
> Hi all, I could not find any documentation on how to establish the x509 client login with a reverse proxy. 
> I would like the nginx to handle the x509 client login. 
> 
> What headers would I need to pass to the shibboleth idp running
> in a tomcat container? I just found a snippet from the very old apache config:
> 
>   <Location /idp/Authn/X509>
>     SSLVerifyClient require
>     SSLVerifyDepth 10
>     SSLOptions -StdEnvVars +ExportCertData
>   </Location>
> 
> The certificate needs to be evaluated by the shibboleth.
> 
> Thanks a lot
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list