Shibboleth for Publishers

Peter Schober peter.schober at
Thu Oct 17 07:06:31 EDT 2019

* Nikita Bernstein <nikitab at> [2019-10-16 21:21]:
> We are looking to implement Shibboleth at JOMI ( and are having a
> hard time finding implementation guidelines for publishers.  Could someone
> please direct me?

>From a short off-list exchange we've etablished that the protected
resource is "a MERN stack on a Linux server", where "MERN" seems to
stand for MongoDB, Express, React, Node.js.

>From what I can tell this means having either node or a
special-purpose process manager (such as pm2 or StrongLoop) listen to
HTTP requests directly, though everything may also be reverse-proxied
by a web server, often Nginx.

Even if this doesn't seem like the ideal environment to introduce the
Shibboleth SP into it can certainly be done, e.g. when using Nginx by
using Shibboleth's FastCGI support with the add-on module:
This is assumes that the whole application will be reverse proxied by
Nginx, i.e. requests MUST NOT reach node or the process manager's HTTP
listener directly. (That's very likely a sane recommendation for a
production setup anyway.)
Swapping out Nginx (or newly introducing, if no production-grade web
server is part of the stack currently) Apache httpd as reverse proxy
may also be possible but will likely require more careful testing
(because AFAIK httpd doesn't buffer requests and may or may not allow
caching). OTOH you avoid having to compile Nginx from source (or use
their binary packages) in order to use the above 3rd party module,

Though that may not be all that needs to be considered: The
application may also run on the client-side and use an API to
communicate with the server?
If that's the case then much of this (again) depends on the specifics
of the application and/or its framework. See this post for one answer:
and this one for another:

If anything (or everything) above is unclear please ask specific
questions about what is unclear and how.
I don't know what you don't know, so we'll have to iterate.


More information about the users mailing list