Can env vars be referenced in shibboleth2.xml?

Ryan Larscheidt larscheidt at wisc.edu
Mon Oct 5 21:19:12 UTC 2020 

We've had success using envsubst (provided by gettext on CentOS 8) to do token replacement of shibboleth2.xml, we have the following in the init step for our containers:

# Perform one-time token replacement on shibboleth2.xml
if [ ! -f /etc/shibboleth/shibboleth2.xml.done ]; then
    # Make a copy of shibboleth2.xml for token replacement input
    cp /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.in

    # Do token substitution
    envsubst < /etc/shibboleth/shibboleth2.xml.in > /etc/shibboleth/shibboleth2.xml

    # Remove input file
    rm /etc/shibboleth/shibboleth2.xml.in

    # Touch done file so this only runs once
    touch /etc/shibboleth/shibboleth2.xml.done
fi

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith <kwessel at illinois.edu>
Sent: Thursday, October 1, 2020 11:58
To: Shib Users <users at shibboleth.net>
Subject: RE: Can env vars be referenced in shibboleth2.xml?

Apache clearly assumes that the use of env vars is up to each module. Kind of silly that there's not a fallback case, but I suppose they could argue it's more secure this way.

At any rate, I'm perfectly happy with my sed commands on container boot. So, I've no motivation to make this a feature request.

Thanks, Scott and Peter, for the guidance on this one.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, October 1, 2020 11:43 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Can env vars be referenced in shibboleth2.xml?

On 10/1/20, 12:28 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:

>    This does sound a bit involved:

Yes, it's clearly not what I assumed. Basically it's the same thing...I don't support env replacement and neither does Apache in any meaningful sense. So it becomes a case of how far down the stack before somebody agrees to implement it. I just assumed they had.

I have enough indirection now with a lot of (but not all) settings that I could implement some degree of it but it would be hit or miss where it worked and difficult to document all the cases.

Honestly pre-processing the XML itself with some other template language is probably the best direction.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201005/eb0a6c2c/attachment.htm>

More information about the users mailing list