<div dir="ltr"><div>Hi Kristof</div><div><br></div><div>Thanks for additional information. Looks like I was able to figure it out but posting here in case anyone has any interest in doing this in the future. I couldn't find any other information on the Internet about it so I'll write up a quick guide for others.</div><div>You can use Drupal (with shib_auth module) + Nginx + Shibboleth Login, it just requires a bit of work.</div><div><br></div><div>You must rebuild/compile Shibboleth SP with FastCGI support and then compile Nginx with the custom nginx-http-shibboleth module. David Beitey (<a href="https://github.com/davidjb">https://github.com/davidjb</a>) has a couple git projects and has documented the process of getting Nginx + Shibboleth working well. He was very helpful in getting this to work. <a href="https://github.com/nginx-shib/nginx-http-shibboleth">https://github.com/nginx-shib/nginx-http-shibboleth</a><br><br>I used these two git repos to build custom rpms for RHEL7 but you can presumably recompile on any distribution. There are rpms available here: <a href="https://www.hpc.jcu.edu.au/rpm/">https://www.hpc.jcu.edu.au/rpm/</a><br><a href="https://github.com/jcu-eresearch/nginx-custom-build">https://github.com/jcu-eresearch/nginx-custom-build</a><br></div><div><a href="https://github.com/nginx-shib/nginx-http-shibboleth">https://github.com/nginx-shib/nginx-http-shibboleth</a><br></div><div><br></div><div>Note: You must use shib_request_set and fastcgi_param to pass shibboleth attributes to FastCGI for Drupal. Unlike Apache & mod_shib where these variables would get automatically inserted into headers, you have to explicitly set them in Nginx and pass them FastCGI.<br><br>My original issue was I was passing only UID and EMAIL but I didn't realize that the shib_auth module checks for <span style="white-space:pre-wrap">Shib-Identity-Provider or </span><span style="white-space:pre-wrap">Shib_Identity_Provider. Here's an example of nginx location block where you can pass these variables. Again, I think mod_shib in Apache automatically inserts these into headers but with nginx shibboleth module you need to manually insert them. </span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap"> #Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
shib_request /shibauthorizer;
shib_request_set $shib_uid $upstream_http_variable_uid;
shib_request_set $shib_email $upstream_http_variable_email;
shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
shib_request_set $shib_identity_provider $upstream_http_variable_shib_identity_provider;
fastcgi_param Shib_Identity_Provider $shib_identity_provider;
fastcgi_param UID $shib_uid;
fastcgi_param EMAIL $shib_email;
fastcgi_param REMOTE_USER $shib_remote_user;
fastcgi_pass backend;
include fastcgi_params;
index index.php;
fastcgi_index index.php;
</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">Once you pass the correct variables in Nginx and map them in shib_auth module, Shibboleth authentication with Nginx + Drupal works without any issues. </span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">Thanks again,</span></div><div><span style="white-space:pre-wrap">Michael Macdonald</span></div><div><span style="white-space:pre-wrap"><a href="mailto:macado@gmail.com">macado@gmail.com</a></span></div><div><span style="white-space:pre-wrap"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 13, 2016 at 3:42 AM, Kristof Bajnok <span dir="ltr"><<a href="mailto:bajnokk@niif.hu" target="_blank">bajnokk@niif.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2016/05/12 19:39, Michael MacDonald wrote:<br>
> Has anyone attempted to use this module with Nginx + Drupal?<br>
<br>
Unfortunately I haven't.<br>
<br>
> I've got Nginx setup with Shibbolith based on this configuration:<br>
> <a href="https://github.com/nginx-shib/nginx-http-shibboleth" rel="noreferrer" target="_blank">https://github.com/nginx-shib/nginx-http-shibboleth</a><br>
><br>
> I'm able to successfully pass UID and MAIL into my headers after a<br>
> successful shibboleth login but I can't get this plugin to successfully<br>
> work with Nginx.<br>
><br>
> After a successful login, it redirects to q=shib_login/user and I get<br>
> Access Denied. You are not authorized to access this page.<br>
<br>
AFAIK this message is not thrown by shib_auth. Do you know whether it is<br>
thrown by the web server (403) or by Drupal? Because you say you are<br>
logged in I assume shib_auth gets the relevant attributes, therefore it<br>
creates the user entry in the database, right? If yes, the problem is<br>
that the session creation (the work that is done by<br>
user_external_login_register) fails for some reason.<br>
<br>
Anyway, a DEBUG output might help to better understand the problem.<br>
<br>
Kristof<br>
<br>
_______________________________________________<br>
shib_auth mailing list<br>
<a href="mailto:shib_auth@listserv.niif.hu">shib_auth@listserv.niif.hu</a><br>
<a href="https://listserv.niif.hu/mailman/listinfo/shib_auth" rel="noreferrer" target="_blank">https://listserv.niif.hu/mailman/listinfo/shib_auth</a><br>
</blockquote></div><br></div>