nginx-shib/nginx-http-shibboleth

OpenShift issues

danielc103 opened this issue · 2 comments

Description of Issue/Question

Question/Help

Trying to deploy nginx-shib setup in OpenShift. Running into two issues when trying to access a generic site served by the nginx service.

  1. I get the "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests." using port 8080 on nginx. This happens when handlerSSL is true or false.

  2. Shib service allows access to site without login or SAML calls at all when using port 8443

I'm using absolute handler value to trick Shib for assertion redirect url. I can expose non standard ports on routes in OpenShift.

I am not at all an expert at Shibboleth or Nginx, any help would be greatly appreciated.

Setup

    <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="XML">
        <RequestMap applicationId="default"
                    authType="shibboleth">
            <Host name="mytestwebsite.com" port="8443"
                  requireSession="true">
            </Host>
        </RequestMap>
    </RequestMapper>

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="${ENTITY_ID:-your-app.local.com}/shibboleth"
                         REMOTE_USER="eppn"
                         id="default"
                         policyId="default"
                         signing="true"
                         encryption="true">

        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="https://mytestwebsite.com/Shibboleth.sso" handlerSSL="true"
                redirectLimit="host+whitelist" redirectWhitelist="https://shibsite.com/"
                exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
                idpHistory="false" idpHistoryDays="7" cookieProps="https">
server {

    listen 8443;
    server_name mytestwebsite.com

    # FastCGI authorizer for Auth Request module
    location = /shibauthorizer {
        internal;
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibauthorizer.sock;
    }

    # FastCGI responder
    location /Shibboleth.sso  {            //SET TO Shibboleth.sso!!!
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibresponder.sock;
    }

    # Resources for the Shibboleth error pages. This can be customised.
    location /shibboleth-sp {
        alias /etc/shibboleth/;
    }

    location / {

            more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
            # Add your attributes here. They get introduced as headers
            # by the FastCGI authorizer so we must prevent spoofing.
            more_clear_input_headers 'displayName' 'mail' 'persistent-id';
            shib_request /shibauthorizer;

            root   /usr/share/nginx/html;
            index  index.html index.htm;
    }
}

Versions and Systems

$ nginx -V
nginx version: nginx/1.16.0
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0k  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=_shibd --group=_shibd --with-debug --with-http_ssl_module --with-http_realip_module --with-pcre --with-http_auth_request_module --with-http_stub_status_module --add-module=../headers-more-nginx-module-0.26 --add-module=../nginx-http-shibboleth
$ shibd -v
shibboleth 3.0.4

Your symptoms are those of Shibboleth failing to match incoming requests — allowing access without being prompted for login with requireSession=true

For your <Host> configuration, this needs to your hostname and not the URL (see https://wiki.shibboleth.net/confluence/display/SP3/HowToRequestMap for an example), and you'll probably require a <Path> element in this configuration as well to define which path should be protected by Shib. The docs for <Host> https://wiki.shibboleth.net/confluence/display/SP3/Host are unclear on what happens if you don't have Path, PathRegex, or Query present and I've never had a config without one.

Lastly your <Sessions handlerURL="..."> needs to match what you have in your Nginx configuration — by default it's /Shibboleth.sso but in your config it'd need to be /saml or whatever your env variable is at that point; in short, it needs to be the same as what you've got the location block set for shibresponder.

There might be other issues but since this is a configuration/setup issue rather than a bug with this nginx module, ask any further questions over at the support mailing list https://www.shibboleth.net/community/lists/. Thanks!

The configs above that I gave had variables that can be set so the handlerURL was correct, it was /Shibboleth.sso. If that was incorrect I would get a 404 error on the nginx side not a "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests." error. The original host name was removed and I accidentally copy and pasted the URL. All corrected above. As far as the path goes, again, I'm hitting the desired path of root which is allowed in shibboleth settings. I've also changed to /secure and get the same behavior.

I was more eluding to the issues of why does port 8443 just allow access and not take me to the login screen and port 8080 takes me to the login screen but throws the "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests."

I needed to add an absolute handlerURL because I can not expose ports on Openshift routes and Shibboleth config generates the ACS from scheme+vhost+port. This would fail was there is no way to reach this. However once I hard coded the handlerURL the ACS gets through.

I assumed the issue at this point was that the handerlURL was https so it was expecting a secure connection, and after reading the issues regarding the above mentioned Shibboleth error, I changed the port to 8443 and implemented SSL on that port to no avail.