shib_request
The `shib_request` directive configures NGINX to perform Shibboleth authentication by sending a subrequest to a specified FastCGI authorizer URI.
Description
The shib_request directive is used within NGINX to enable Shibboleth authentication by directing incoming requests to an authorization service defined by a specified URI. This directive can be set to either a valid URI pointing to a NGINX location block of a FastCGI authorizer or set to 'off' to disable authentication. When enabled, NGINX processes the incoming request and initiates a subrequest to the designated URI. If the authorizer returns a successful authentication response, NGINX can extract user attributes from the headers response and attach them to the original request, allowing backend applications to utilize this data. Conversely, if the authorization fails, the error status and headers are returned to the client, managing access appropriately.
It is crucial to understand that while utilizing the shib_request, the request body is not transmitted to the authorizer, and any body content from the authorizer's response will not be returned to the client. As the shib_request directive works during the access phase, it can be combined with other access control modules in NGINX. Careful configuration is necessary to ensure secure handling of headers to prevent spoofing of sensitive information. The modules must be used correctly to avoid unpredictable behavior, especially when using with different authorization methods in the same location block.
Config Example
location /protected {
shib_request /auth;
}
location /auth {
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
}Ensure the specified URI points to a valid location block handling Shibboleth authorization.
Do not expect the request body to be forwarded to the authorizer, which might limit functionality for some applications.
Mixing Shibboleth and other authorization modules in the same location could lead to untested behaviors, so use with caution.