Cross-post from wg-ui#38.
The Univerity is heavly in to Single
shibd is one of the more common tools we have and use. Together with
it’s easy to create SSO for application that can’t speak native SAML. The
apache handles all the authentication and in this
case even a rough authorization (more on that later) and proxies the request to
Most SAML attributes in the .edu world are based on LDAP attributes.
(or eppn as Shibboleth calls it) is our primary key to identify users so that
is released from the IdP to the SP as a SAML attribute and then forward/proxied
as request header to the application. The only thing that needs to be
configured in the Wireguard UI end is that the application needs to be started
--auth-user-header flag set to
<VirtualHost *:443> <LocationMatch "/"> AuthType Shibboleth Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:vpn:user$ ShibRequireSessionWith idp.example.com ShibUseHeaders On </LocationMatch> SSLCertificateFile /path/to/vpn.example.com.pem SSLCertificateKeyFile /path/to/vpn.example.com.key SSLCertificateChainFile /path/to/DigiCertCA-2024-11-18.crt ProxyPass "/" "http://127.0.0.1:8080/" ProxyPassReverse "/" "http://127.0.0.1:8080/" </VirtualHost>
Configuration in depth
Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:su-vpn:user$
We have alot of users at the University and not all of them are eligible to use Wireguard UI. By default apache and shibd lets everyone through and since Wireguard UI has no knowlege about the user in beforehand we release another (eduPersonEntitlement) from the IdP to the SP and require a specific value on the user in order to be allowed to use the service.
shibd to publish SAML attributes to the application (in our case
proxy) through request headers.
Thats is! I hope it could be useful someone else. The setup works flawless and big thanks to EmbarkStudios for a great application.