Accounts and user data are a matter of trust. Single sign-on (SSO) can improve the user experience (UX), convenience and security especially if you are offering several web applications often used by the same user. If you do not want to force your users to big vendors offering SSO like google or facebook or do not trust them you can implement SSO for your offerings with open-source software (OSS) like shibboleth. With shibboleth it may be even feasible to join an existing federation like SWITCH, DFN or InCommon thus enabling logins for thousands of users without creating new accounts and login data.
If you are implementing you SSO with shibboleth you usually have to enable your web applications to deal with shibboleth attributes. Shibboleth attributes are information about the authenticated user provided by the SSO infrastructure, e.g. the apache web server and mod_shib in conjunction with associated identity providers (IDP). In general there are two options for access of these attributes:
- HTTP request headers
- Request environment variables (not to confuse with system environment variables!)
Using request headers should be avoided as it is less secure and prone to spoofing. Access to the request environment depends on the framework your web application is using.
Shibboleth attributes in Java Servlet-based apps
In Java Servlet-based applications like Grails or Java EE access to the shibboleth attributes is really easy as they are provided as request attributes. So simply calling
request.getAttribute("AJP_eppn") will provide you the value of the
eppn (“EduPrincipalPersonName”) attribute set by shibboleth if a user is authenticated and the attribute is made available. There are 2 caveats though:
- Request attributes are prefixed by default with
AJP_if you are using
mod_proxy_ajpto connect apache with your servlet container.
- Shibboleth attributes are not contained in
request.getAttributeNames()! You have to directly access them knowing their name.
Shibboleth attributes in WSGI-based apps
If you are using a WSGI-compatible python web framework for your application you can get the shibboleth attributes from the
wsgi.environ dictionary that is part of the request. In CherryPy for example you can use the following code to obtain the
eppn = cherrypy.request.wsgi_environ['eppn']
I did not find the name of the WSGI environment dictionary clearly documented in my efforts to make shibboleth work with my CherryPy application but after that everything was a bliss.
Accessing shibboleth attributes in a safe manner is straightforward in web environments like Java servlets and Python WSGI applications. Nevertheless, you have to know the above aspects regarding naming and visibility or you will be puzzled by the behaviour of the shibboleth service provider.