UtoridAuthentication
How do we authenticate user sessions using the university's UTORID authentication system? Run by CNS central network services. infrastructure is based on shibboleth
must read for basic definitions: https://www.shibboleth.net/index/basic/
In this picture there is a "reverse proxy server".
http://sites.utoronto.ca/security/projects/shibboleth.htm
site suggests that if we are "intramural" we will have access to utorid amongst request headers forwarded to us.
http://sites.utoronto.ca/security/projects/SP-install.htm
the following seems to describe information that becomes available if we further obtain access to the shib LDAP service:
Max, just before he left, configured nginx to do this for dcsis.
Max's experiment/prototoype nginx config file follows. A lot of is is probably specific to django.. but shib is mentioned.
#FastCGI authorizer for Auth Request module
location = /shibauthorizer {
internal;
include fastcgi_params;
fastcgi_pass unix:/var/www/dcsis/var/tmp/shibauthorizer.sock;
}
#FastCGI responder
location /Shibboleth.sso {
include fastcgi_params;
fastcgi_pass unix:/var/www/dcsis/var/tmp/shibresponder.sock;
}
#Resources for the Shibboleth error pages. This can be customised.
location /shibboleth-sp {
alias /usr/share/shibboleth/;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri @wsgi;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /d/ {
shib_request /shibauthorizer;
root /var/www/dcsis/var/public_django;
rewrite ^/d/static/(.*)$ /static/$1 break;
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri @django;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# # Only for nginx-naxsi : process denied requests
#location /RequestDenied {
# For example, return an error code
#return 418;
#}
client_max_body_size 500M;
location @wsgi {
shib_request /shibauthorizer;
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
#Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
uwsgi_read_timeout 600s;
uwsgi_send_timeout 600s;
uwsgi_pass unix://var/www/dcsis/var/tmp/uwsgi.socket;
uwsgi_param Host $host;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_param X-Forwarded-Proto "https";
#$http_x_forwarded_proto;
include uwsgi_params;
}
location @django {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header SCRIPT_NAME /d;
include proxy_params;
}