Reputation: 3866
Check shibboleth SP session on application level
The question may sound odd, but I have a worst case scenario.
My application server is on http://10.10.10.10/app (say it app-server) and http-apache server is on http://some.dns.com/app (say it http-server). Both are different system-server.
I know app-server shouldn't directly accessible publically, but let's assume it is publically accessible. Now Shibboleth is installed on http-server , securing path http://some.dns.com/app/secure . While one servlet is mapped to get attributes from path /secure.
If someone manages to create fake http-apache-server (say fake-http-server) and that too points to app-server. So here fake-http-server can directly have access to /secure path and that server can manually send shibboleth-like attributes and can login in system without protection.
My question here is, Is there a mechanism in Shibboleth where I can check the shibboleth session in my application - not only in http layer.
Upvotes: 1
Views: 936
Answers (1)
Reputation: 790
The mod_shib Apache module sets environment variables by default. These variables cannot be spoofed by a proxying Apache server.
From the docs:
The safest mechanism, and the default for servers that allow for it, is the use of environment variables. The term is somewhat generic because environment variables don't necessarily always imply the actual process environment in the traditional sense, since there's often no separate process. It really refers to a set of controlled data elements that the web server supplies to applications and that cannot be manipulated in any way from outside the web server. Specifically, the client has no say in them.
If you don't trust the Apache webserver, you can parse the SAML assertion in your code and validate the signatures in the assertion using the certificate provided by the Identity Provider (IdP) making the SAML assertion. But checking signatures is difficult and you need to deal with cases like key rotation and how to handle new certificates being used by the IdP. Shibboleth handles these very difficult and important tasks for you.
Upvotes: 1
Related Questions
- Is it possible to capture the Shibboleth Authenticated Username?
- How to configure Shibboleth2 to send SAML response via header to app
- Shibboleth - how it works?
- shibboleth single sign on in java application server
- Shibboleth Service Provider Work Tasks Before Returning is Authenticated
- Authorization using shibboleth sso
- understanding Shibboleth and SAML
- How to implement or integrate single sign on with SAML and Shibboleth
- Shibboleth and Autologin
- Passing Shibboleth credentials after successful authentication