Add setting to disable copying variables as headers
davidjb opened this issue · 1 comments
davidjb commented
mod_shib for Apache has ShibUserHeaders to control whether attributes get passed as headers to the backend, and we should aim for a similar toggle. Without automatically copying headers, it's possible and more secure (see README) to copy attributes from the auth request into the backend's environment -- but it currently requires manual handling in the user's config.
FYI: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig