shib_request_set
Sets Shibboleth attributes into request headers or variables based on a subrequest's response.
Description
The shib_request_set directive in the NGINX Shibboleth Auth Request module allows users to specify a Shibboleth attribute to be set in the HTTP request. This directive works by defining a mapping between the attributes received from the Shibboleth FastCGI authorizer's response and the desired headers or NGINX variables in the original request. Essentially, it enables the transfer of user attributes, such as email address or group memberships, which can be utilized in subsequent processing by NGINX or sent to backend applications.
The directive requires two key parameters: the name of the attribute to set, and the destination variable or header where that attribute will be stored. The first parameter is typically a string representing the Shibboleth attribute name, while the second parameter designates where within the NGINX request context the value should be stored (for example, as a custom header or a specific variable). This allows backend applications to have the necessary authorization context to handle the validated requests correctly.
However, it is crucial to ensure that this directive is utilized within proper NGINX contexts (http, server, and location) and in conjunction with shib_request to ensure correct functionality. The handling of attribute values must also be carefully managed to avoid header injection or spoofing by malicious actor as attributes can potentially be manipulated during their flow.
Config Example
location /protected {
shib_request_set user_email X-User-Email;
shib_request /shibboleth;
proxy_pass http://backend;
}Ensure that the shib_request directive is set before using shib_request_set to guarantee access control enforcement.
Be cautious about the potential for header injection; validate input if headers are set based on user attributes.
Subrequests do not forward the request body; ensure this behavior is acceptable for your use case.