3

I am new to SSO as well as Shibboleth.

I have successfully implemented Shibboleth SP on an Apache Server. The user is getting authenticated against IDP whenever the user tries to access a protected resource.

Basically, Shibboleth SSO has the following 6 steps:

  1. User Accesses Protected Resource
  2. SP Determines IdP and Issues Authentication Request
  3. User Authenticates to the IdP
  4. IdP Issues Response to SP
  5. Back to the SP
  6. Back to the Protected Resource

My client app is purely developed using AngularJS 1.6.

Everything is working fine till Step 6. My question is:

In Step 6: How do I access the Shibboleth SP attributes such as First Name or Last Name in my AngularJS Client App? Or is it even possible to access those attributes directly in the AngularJS app?

Shibboleth Wiki does not mention anything about accessing attributes using AngularJS.

Please. Any help | guidance | suggestion | feedback will be greatly appreciated.

[UPDATE]

httpd.conf

My httpd.conf is very simple. The only extra configuration I did for Shibboleth is as below. Rest everything is default.

LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

ServerName 10.63.32.125

<Location /licweb>
  AuthType shibboleth
  Require valid-user
  ShibRequireSession On
  ShibUseHeaders On
</Location>

shibboleth2.xml

This is also a very simple file.

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">
    <ApplicationDefaults entityID="https://www.example.com/licweb/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
            <SSO entityID="https://my-sso-url">
                SAML2 SAML1
            </SSO>
            <Logout>SAML2 Local</Logout>

            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="true" />
        </Sessions>
        <Errors supportContact="ankit.prajapati@yahoo.com" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
        <MetadataProvider type="XML" file="MetaData.xml"/>
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Session

I also get the Session at the URL: http://10.63.32.125/Shibboleth.sso/Session

Miscellaneous
Session Expiration (barring inactivity): 473 minute(s)
Client Address: 10.63.32.125
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://my-identity-provider
Authentication Time: 2018-06-21T19:19:16.937Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
Authentication Context Decl: (none)

Attributes
displayName: Doe,John
givenName: John
mail: john.doe@yahoo.com
persistent-id: https://my-persistent-id
sn: doe

I want to access this attributes on my AngularJS Client Website running at URL: http://10.63.32.125/licweb

Any help will be greatly appreciated. THANKS.

Ankit Prajapati
  • 1,425
  • 3
  • 14
  • 22

3 Answers3

2

I don't think you can directly access the attributes from angular js. You might need some server side support (ajp in case of java using servlet) to read the attributes.

See the related thread for some info.

Akshay
  • 3,558
  • 4
  • 43
  • 77
  • I created a PHP App on the same server running at http://10.63.32.125/serverapp/index.php. Configured the Shibboleth2.xml to redirect the user after Login to this PHP App. Now I am trying to access Attributes with $_SERVER["Shib-Identity-Provider"]); and $_SERVER["HTTP_SHIB_IDENTITY_PROVIDER"]; But it does not fetch anything. Its just Blank. – Ankit Prajapati Jun 22 '18 at 19:41
  • $_SERVER prints all the Server Variables. But it does not have any Variable of Shibboleth. – Ankit Prajapati Jun 22 '18 at 20:13
  • 1
    You are right. We need a Server Side Script to read Shibboleth SP Attributes. And that Script must reside in the same Domain as well the Location secured by the Shibboleth Configuration. Now I am able to read the Shibboleth Attributes with the help of PHP script. Thank you so much for your assistance. Greatly Appreciated. – Ankit Prajapati Jun 25 '18 at 17:55
  • You may post the code sample to access attribute here to help others. – Akshay Jun 28 '18 at 06:34
  • PHP Script to access the Shibboleth Attributes: $_SERVER["displayName"] or $_SERVER["givenName"]. These will give the values if the Shibboleth SP is configured and working properly. – Ankit Prajapati Jun 28 '18 at 14:23
2

By setting contentType to application/json within the Session Handler you will get a JSON object instead of the HTML at the URL /Shibboleth.sso/Session. You can request that in your client-side JavaScript app like any other JSON resource / REST Api.

<Handler type="Session" Location="/Session" showAttributeValues="true" contentType="application/json" />

See https://wiki.shibboleth.net/confluence/display/SP3/Session+Handler

xsrf
  • 564
  • 5
  • 18
0

The attributes live inside the headers when the response comes back from IdP. To access them you are going to have to enable the shibboleth headers on your protected location:

<Location /SECUREPATH >
    AuthType shibboleth
    ShibRequireSession On
    ShibUseHeaders On
    Require valid-user
</Location>

You'll be able to access the parameters through the headers in your javascript. But Spoofing can happen https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking

This is the way we have access to our headers. We use Shibboleth as its own apache server:

  • User access /secure path

  • Shibboleth redirects to IdP

  • IdP comes back to secure path which is available to see. Apache redirects /secure to our web server where we have a callback and access the attributes through the url. But we encrypt that url to make sure it came from us. I also have ShibUseHeaders Off

How I access the customer header in apache: how to access custom header value in apache?

How I encrypt the attributes: Multiple values RewriteMap prg

leo
  • 145
  • 1
  • 3
  • Hi Leo. First of all thank you so much for responding. But I am still not able to follow your 3rd step. What do you mean by "Apache redirects /secure to ......... attributes through the url? How do you achieve that? This seems to be an advance configuration in httpd.conf. I am totally new to Apache server. I will update my question with more details so that you can explain me better. Please help me. Your help will be greatly appreciated. – Ankit Prajapati Jun 21 '18 at 20:21
  • Updated my Question. – Ankit Prajapati Jun 21 '18 at 20:45
  • @AnkitPrajapati Since your configuration is different that what I did. You have shibboleth installed in the same server as your web server. I had my web server and my shibboleth separated. Once you land back on /licweb the attributes are located in your header. I am not experienced with Angular, but you can access them when ever the content from licweb gets loaded. I am assuming you have a route something like this `app.get('/', function (req, res)..` and it loads your page when it IdP returns.. in there you can access the headers through `res.headers` – leo Jun 21 '18 at 20:57
  • But that's my question. How do I access them? I have no idea of how to access the response. – Ankit Prajapati Jun 21 '18 at 21:01
  • I have tried this: $http.get("http://10.63.32.125/licweb").then(response.data). But no luck. It only give me my html page details and data. – Ankit Prajapati Jun 21 '18 at 21:03
  • @AnkitPrajapati The `res.headers` is a dictionary. so to access mail you are going access it like this `res.headers["mail"]` remember to have your `ShibUseHeaders On` Before you try to access them, `console.log(res.headers)` so you can see all the headers and see what are the names of the attributes you want to access. All of this is done inside your app.get method where the angular page is being loaded. – leo Jun 21 '18 at 21:09
  • I am sorry bro. I got you. But my headers have no attributes. ShibUseHeaders is ON. But my headers don't have any attributes. Any other setting to get the attributes in headers? – Ankit Prajapati Jun 21 '18 at 21:17
  • @AnkitPrajapati did you restart apache? `sudo systemctl restart httpd` – leo Jun 21 '18 at 21:26
  • That is a good question. I forgot to restart apache and shibd. I did that. But still I dont have attributes in the headers. One question: The redirection is to http://10.63.32.125/licweb. But the url: http://10.63.32.125/licweb redirects to http://10.63.32.125/licweb/#/license. Does that make any difference? – Ankit Prajapati Jun 21 '18 at 21:42
  • Does the "#" in the URL makes any difference? – Ankit Prajapati Jun 21 '18 at 21:46
  • Leo - Thank you very much for all your efforts to solve my issue. Highly Highly Appreciated. :) – Ankit Prajapati Jun 22 '18 at 19:38
  • I'm late to the party, but this looks pretty complicated and non-standard way. Is there a reason why you didn't just do a client side HTTP request (Ajax/fetch) to `/Shibboleth.sso/Session` within your app and use that data? Sure, it's not JSON/XML data, but it could be easily parsed with some lines of JavaScript code. – xsrf Oct 03 '19 at 12:10