Do you know if it is possible to use Nginx with Shibboleth?
3 Answers
Not until FastCGI supports "authorizer" mode. The Shibboleth 2 documentation describes a FastCGI SP application but explains that it doesn't work with Nginx because it lacks the "authorizer" mode needed for the filter.
An Nginx thread shows that many people want the "authorizer" mode but it's too difficult to implement. When people try they give up.
Poster Alex on this Rails thread shares Ruby code for Shibboleth auth but appears to have used Apache. Other posters using Nginx still couldn't make it work.
Yes, it's possible. Install and configure the nginx-http-shibboleth
module for nginx, which provides the ability for nginx to understand the parts of the FastCGI authorizer spec which nginx can support; enough for Shibboleth authentication to succeed. Your installation will require FastCGI build of the Shibboleth Service Provider (SP) and appropriate configuration of nginx to communicate with the shibauthorizer
and shibresponder
FastCGI applications.
All backend applications and environments can be supported in some manner, assuming they support either HTTP headers or environment variables set from nginx. Passing Shibboleth attributes to your application is either via nginx environment variables (via shib_request_set
) or else via shib_request_use_headers on;
for HTTP headers (be careful of spoofing). I've never used Passenger to host an app, but in your case, it appears you could use passenger_env_var
and shib_request_set
to get Shibboleth attributes into your application.
The full setup process is found in the GitHub repository at https://github.com/nginx-shib/nginx-http-shibboleth.
Disclaimer: I am the current maintainer of that module.
Note: this module supersedes all previous blog posts or wiki entries I might have written previously.
- 111
- 4
I haven't yet tried this myself, but checkout David Beitey's entries on the Shibboleth wiki.
- 101
-
Welcome to Server Fault! Please add relevant excerpts from the link that address the question. Link only answers are frowned upon here. – squillman Nov 27 '13 at 18:45