My organization uses Shibboleth SAML authentication. Currently it works well but I would like some of our servers paths to only be accessible by a handful of people. The main way I have identified to accomplish this is using a map in NGINX but I think because Shibboleth injects headers at some point it is not working for me. Does anyone know how I can accomplish my goal here in a nginx-shibboleth compliant way? I have tried many variations of the $http_eppn $http_upstream_eppn, etc... My end goal is to replace the return statement with a proxy pass to a application.
in http block:
map $http_eppn $allowed_eppn {
"eppn1" 1;
"eppn2" 1;
"eppn3" 1;
default 0;
}
Used later on:
location /test {
shib_request_use_headers on;
include shib_clear_headers;
more_clear_input_headers 'Remote-User' 'Shib-Identity-Provider' 'Uid' 'Eppn' 'Affiliation';
shib_request /shibauthorizer;
if ($is_ok) {
return 405;
}
add_header Content-Type text/plain;
return 200 '$http_eppn';
}