Question posted in 
I have a shibboleth service provider with Apache httpd and the id is sent to me the attributes.
So, I am able to retrieve the custom attributes from https://mysp/Shibboleth/Session, all what i need is to send a request from the front-end (ReactJs) to this link and get all attributes.
Now, we are going into the production environment, but this way to retrieve attributes from the session is not recommended for production env.
So do you know a way to retrieve the attributes of the authenticated user and forward the data to the front-end apps?
Thank you in advance
2
Answers
After my searching and getting help by @Kellen Murphy, the best solution to prevent spoofing is to use env variables.
For example i want to send to my applications the USERNAME attribute.
so, i created a php page that can read session data from the header
Then i started the php page with
Then i passed the env variable as a header variable
now i can retrieve my attributes by attacking the page : https://example.com/Session
You can’t access the attribute directly from client-side. There must be some server-side code. See: How to access Shibboleth SP Attributes in AngularJS Application for a similar request with AngularJS.
Shibboleth SP exposes the attributes as server-variables, and can be accessed from server-side code only, see: Shibboleth Service Provider 3.x Attribute Access (Also, the deprecated but still in wide-deployment NativeSPAttributeAccess for SP v2.x).
You can also allow Shibboleth to expose the attribute data using HTTP request headers via
ShibUseHeaders Onwithin you Apache config.If you backend is Node.js, you might consider something other than Shibboleth as your SAML service provider, i.e. saml2-js.