I have a shibboleth service provider with Apache httpd and the id is sent to me the attributes.
So, I am able to retrieve the custom attributes from https://mysp/Shibboleth/Session, all what i need is to send a request from the front-end (ReactJs) to this link and get all attributes.
Now, we are going into the production environment, but this way to retrieve attributes from the session is not recommended for production env.
So do you know a way to retrieve the attributes of the authenticated user and forward the data to the front-end apps?
Thank you in advance
After my searching and getting help by @Kellen Murphy, the best solution to prevent spoofing is to use env variables.
For example i want to send to my applications the USERNAME attribute.
so, i created a php page that can read session data from the header
<html>
<head>
<title>Session data</title>
</head>
<body>
<?php
print_r($_SERVER["HTTP_X_USERNAME"]);
?>
</body>
</html>
Then i started the php page with
php -S localhost:9000
Then i passed the env variable as a header variable
RequestHeader set X-USERNAME %{USERNAME}e
ProxyPass /Session http://localhost:9000
ProxyPassReverse /Session http://localhost:9000
now i can retrieve my attributes by attacking the page : https://example.com/Session