[shib_auth] Shib_Auth with Drupal + Nginx?

Fri May 13 17:27:50 CEST 2016

Hi Kristof

Thanks for additional information.  Looks like I was able to figure it out
but posting here in case anyone has any interest in doing this in the
future.  I couldn't find any other information on the Internet about it so
I'll write up a quick guide for others.
You can use Drupal (with shib_auth module) + Nginx + Shibboleth Login, it
just requires a bit of work.

You must rebuild/compile Shibboleth SP with FastCGI support and then
compile Nginx with the custom nginx-http-shibboleth module.  David Beitey (
https://github.com/davidjb) has a couple git projects and has documented
the process of getting Nginx + Shibboleth working well. He was very helpful
in getting this to work. https://github.com/nginx-shib/nginx-http-shibboleth

I used these two git repos to build custom rpms for RHEL7 but you can
presumably recompile on any distribution.  There are rpms available here:
https://www.hpc.jcu.edu.au/rpm/
https://github.com/jcu-eresearch/nginx-custom-build
https://github.com/nginx-shib/nginx-http-shibboleth

Note: You must use shib_request_set and fastcgi_param to pass shibboleth
attributes to FastCGI for Drupal. Unlike Apache & mod_shib where these
variables would get automatically inserted into headers, you have to
explicitly set them in Nginx and pass them FastCGI.

My original issue was I was passing only UID and EMAIL but I didn't realize
that the shib_auth module checks for Shib-Identity-Provider or
Shib_Identity_Provider.
Here's an example of nginx location block where you can pass these
variables. Again, I think mod_shib in Apache automatically inserts these
into headers but with nginx shibboleth module you need to manually insert
them.

#Add your attributes here. They get introduced as headers #by the FastCGI
authorizer so we must prevent spoofing. more_clear_input_headers
'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
shib_request /shibauthorizer; shib_request_set $shib_uid
$upstream_http_variable_uid; shib_request_set $shib_email
$upstream_http_variable_email; shib_request_set $shib_remote_user
$upstream_http_variable_remote_user; shib_request_set
$shib_identity_provider $upstream_http_variable_shib_identity_provider;
fastcgi_param Shib_Identity_Provider $shib_identity_provider; fastcgi_param
UID $shib_uid; fastcgi_param EMAIL $shib_email; fastcgi_param REMOTE_USER
$shib_remote_user; fastcgi_pass backend; include fastcgi_params; index
index.php; fastcgi_index index.php;

Once you pass the correct variables in Nginx and map them in shib_auth
module, Shibboleth authentication with Nginx + Drupal works without any
issues.

Thanks again,
Michael Macdonald
macado at gmail.com

On Fri, May 13, 2016 at 3:42 AM, Kristof Bajnok <bajnokk at niif.hu> wrote:

> On 2016/05/12 19:39, Michael MacDonald wrote:
> > Has anyone attempted to use this module with Nginx + Drupal?
>
> Unfortunately I haven't.
>
> > I've got Nginx setup with Shibbolith based on this configuration:
> > https://github.com/nginx-shib/nginx-http-shibboleth
> >
> > I'm able to successfully pass UID and MAIL into my headers after a
> > successful shibboleth login but I can't get this plugin to successfully
> > work with Nginx.
> >
> > After a successful login, it redirects to q=shib_login/user and I get
> > Access Denied.  You are not authorized to access this page.
>
> AFAIK this message is not thrown by shib_auth. Do you know whether it is
> thrown by the web server (403) or by Drupal? Because you say you are
> logged in I assume shib_auth gets the relevant attributes, therefore it
> creates the user entry in the database, right? If yes, the problem is
> that the session creation (the work that is done by
> user_external_login_register) fails for some reason.
>
> Anyway, a DEBUG output might help to better understand the problem.
>
> Kristof
>
> _______________________________________________
> shib_auth mailing list
> shib_auth at listserv.niif.hu
> https://listserv.niif.hu/mailman/listinfo/shib_auth
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20160513/6c88b58e/attachment.html>