[Koha-bugs] [Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Sep 27 10:47:14 CEST 2018 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #28 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
(In reply to Marcel de Rooy from comment #24)
> ShibUseHeaders On|Off
> Defaults to "Off", this turns on the use of request headers to publish
> attributes to applications. Use of this option should be avoided. Be sure to
> review the topic on spoof checking if you enable it.
> 
> You are suggesting to disable ShibUseEnvironment and enable ShibUseHeaders.
> Please explain. It is not recommended..

The issue is IPC (Inter Process Communication). Koha relies upon a third party
software to handle most of the complexities of Shibboleth/SAML.. The 'native
service provider' package.. an apache plugin exists, mod_shibboleth, which we
have been using to communicate between the native service provider code, Apache
and finally koha. In CGI world, Koha runs a process per request under a forked
Apache, and as such Apache and Koha share the same process environment. In the
Plack world, Koha runs in a persistent process and requests are proxied from
Apache to Plack (Koha); As such, no environment is shared and we have to
utilize an alternative means of communicating between Koha and Apache (and
therefore the native shibboleth service provider). The only other supported
means of transporting that information is Headers (in mod_shibboleth).

So.. to do better than this patch we either need to get rid of Apache and the
native shibboleth service provider package and write our own native shibboleth
handling code.. or write a plack middleware that interfaces directly with the
native service provider software.. that's a pretty long way outside of my own
scope for this.

Personally, this isn't the 100% best fix, but it's the best we can do without
basically re-writing Koha in my opinion.. With the NativeSPSpoofChecking
guidance followed it's not as big an issue as many are making out in my
opinion.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list