Merge branch 'fix-shibboleth-auth-with-no-uid' into 'master'

fix shibboleth misconfigurations resulting in authentication bypass This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them. See merge request !7428

Merge branch 'fix-shibboleth-auth-with-no-uid' into 'master'
fix shibboleth misconfigurations resulting in authentication bypass This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them. See merge request !7428
d1afb845 · Rémy Coutable · 2e1fe59e · 067da622 · d1afb845 · d1afb845
Commit d1afb845 authored Nov 16, 2016 by Rémy Coutable
Showing with 8 additions and 0 deletions

changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml +4 -0

config/initializers/devise.rb config/initializers/devise.rb +4 -0

No files found.
--- a/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
+++ b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
+---
+title: fix shibboleth misconfigurations resulting in authentication bypass
+merge_request: 7428
+author: 
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -241,6 +241,10 @@ Devise.setup do |config|
        end
      end
+      if provider['name'] == 'shibboleth'
+        provider['args'][:fail_with_empty_uid] = true
+      end
      # A Hash from the configuration will be passed as is.
      provider_arguments << provider['args'].symbolize_keys
    end