[Koha] Plack plus shibboleth

Matthias Meusburger matthias.meusburger at biblibre.com
Tue Aug 28 22:16:05 NZST 2018


Hi,

Using something like Plack::Auth::SSO::Shibboleth might provide a 
solution to this problem.

https://metacpan.org/pod/Plack::Auth::SSO::Shibboleth

Le 27/08/2018 à 20:12, Katrin Fischer a écrit :
> Hi Dave,
> 
> I am not aware of a way to run Shibboleth with Plack in a safe way at 
> the moment, but would also be very interested in seeing this resolved. 
> It's a rather big issue for academic libraries here.
> 
> Katrin
> 
> On 27.08.2018 10:41, Dave Sherohman wrote:
>> Hey, all!
>>
>> tl;dr: When running koha under plack and using shibboleth
>> authentication, what is the currently-recommended way to communicate
>> auth details from mod_shib to koha?
>>
>>
>> Long version:
>>
>> I'm in the process of converting our Koha installation from running
>> under vanilla CGI to using plack/starman.  This was simple enough from
>> the perspsctive of straight-up library functionality, but we're using
>> shibboleth to authenticate against the campus IDP, and that has raised a
>> few issues.
>>
>> We've already found
>> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776 in the
>> bug tracker and I have successfully adapted the patch tou our customized
>> C4::Auth/C4::Auth_with_shibboleth and logged in via shibboleth, but (as
>> noted in the bug tracker discussion) this uses HTTP headers to
>> communicate the authentication details to the back-end application.
>>
>> In order to avoid possible vulnerabilities resulting from the use of
>> HTTP headers, I went to the shibboleth documentation at
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking 
>>
>> [1] and, in the section for Apache, found the assertion that:
>>
>> "Under no circumstances should you rely on the request header option
>> other than as a temporary measure while adjusting applications to use
>> the environment option. There are no known scenarios in which
>> environment variables can't be used"
>>
>> Is there a way to use environment variables in a plack+shibboleth
>> installation?  The docs assert that it should be possible (as there are
>> "no known scenarios" where it isn't), but that would imply that one
>> process (apache) is able to modify the environment of another, already-
>> running, independent non-child process (starman) running under a
>> different uid/gid, which should not generally be possible - and, even if
>> it is possible, it would require apache to run as root, which would
>> create major security risks of its own.
>>
>> The bug tracker discussion includes a brief mention of possibly using a
>> plack middleware to change the worker process envoronment, but that
>> seems like it would just push the issue back a level from "how do I talk
>> to starman without using http headers" to "how do I talk to the
>> middleware without using http headers" without actually solving the core
>> issue.
>>
>> Is it actually possible to use environment variables in this scenario?
>> If not, what's the best practice to secure it against http header
>> spoofing?
>>
>>
>> [1] The SHIB2 documentation states that it's no longer supported, but
>> we're using an sp2 shibd and, in any case, the same text appears
>> verbatim on the equivalent SP3 page.
>>
> 
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha


More information about the Koha mailing list