Is it possible to use Shibboleth 2 with Nginx + Passenger?

Do you know if it is possible to use Nginx with Shibboleth?

Solution 1:

Not until FastCGI supports "authorizer" mode. The Shibboleth 2 documentation describes a FastCGI SP application but explains that it doesn't work with Nginx because it lacks the "authorizer" mode needed for the filter.

An Nginx thread shows that many people want the "authorizer" mode but it's too difficult to implement. When people try they give up.

Poster Alex on this Rails thread shares Ruby code for Shibboleth auth but appears to have used Apache. Other posters using Nginx still couldn't make it work.

Solution 2:

Yes, it's possible. Install and configure the nginx-http-shibboleth module for nginx, which provides the ability for nginx to understand the parts of the FastCGI authorizer spec which nginx can support; enough for Shibboleth authentication to succeed. Your installation will require FastCGI build of the Shibboleth Service Provider (SP) and appropriate configuration of nginx to communicate with the shibauthorizer and shibresponder FastCGI applications.

All backend applications and environments can be supported in some manner, assuming they support either HTTP headers or environment variables set from nginx. Passing Shibboleth attributes to your application is either via nginx environment variables (via shib_request_set) or else via shib_request_use_headers on; for HTTP headers (be careful of spoofing). I've never used Passenger to host an app, but in your case, it appears you could use passenger_env_var and shib_request_set to get Shibboleth attributes into your application.

The full setup process is found in the GitHub repository at https://github.com/nginx-shib/nginx-http-shibboleth.

Disclaimer: I am the current maintainer of that module.

Note: this module supersedes all previous blog posts or wiki entries I might have written previously.