You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@vcl.apache.org by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu> on 2020/08/17 19:00:37 UTC
RE: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
Do you know if the VCL Shibboleth configuration generates a metadata file? I think that to set up SSO with ADFS, our ADFS will need to send the attributes to Shibboleth since that is what VCL will be expecting for authentication.
Thanks,
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Monday, August 17, 2020 1:22 PM
To: user@vcl.apache.org
Subject: [EXTERNAL] Re: ADFS SSO Authentication
WARNING: This email originated outside the Hostos campus. Do not click links or open attachments unless you recognize the sender and know the content is safe. Never provide login credentials, financial or sensitive details in response to an email or by clicking on a link. Report suspicious emails to: reportspam@hostos.cuny.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
I'm not aware of anyone who has used ADFS for authentication. I have had one partner institution that uses our installation ask about it. But another group controls our web servers. So, I didn't pursue it.
If you get it working, I'd really like to hear how it goes.
Thanks,
Josh
On Thursday, August 13, 2020 10:44:11 AM EDT MARTINEZ, ARIEL wrote:
> Hi,
>
> Has anyone used Microsoft ADFS for SSO into VCL? I read the
> documentation about Shibboleth at
> https://vcl.apache.org/docs/shibauth.html. I was thinking that I could
> follow these instructions, simply replacing entries corresponding from our ADFS setup. But I am not sure that would work.
>
> Thanks.
>
> ________________________________
> This email may contain confidential material. If you were not an
> intended recipient, please notify the sender and delete all copies.
> Eco-Tip: Think green before you print.
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzq8uwAKCRBX8tBw1209
A5XtAJ4712eszCuKal63uXvqeDw2Kg/CngCfch79DbYwPo13UyBlnGGrXZ8ht/A=
=pNUU
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Ok, I would go into your attribute-map.xml file and change the eppn to be
shib_eppn.
Here is a example that we use
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="
> SHIB_EPPN">
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
> </Attribute>
> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB_EPPN">
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
> </Attribute>
>
Mike
On Mon, Sep 14, 2020 at 4:46 PM Mike Jennings <gm...@ncsu.edu> wrote:
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
> <?php print_r($_SERVER) ?>
>
> and what does that print out
>
> Also can you send me a copy of your attribute-map.xml file
>
> Mike
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
>> Hi Mike,
>>
>>
>>
>> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
>> Shibboleth SP appears to be running correctly. I can see eppn, mail and
>> displayname (haven’t included affiliation) in the session after
>> authenticating.
>>
>>
>>
>> I just can’t figure out why the $_SERVER variable does not have any
>> Shibboleth data even though the session is established. Because of this,
>> the authentication in VCL is not working.
>>
>>
>>
>> I have a .htaccess file in /var/www/html/vcl directory with the following:
>>
>>
>>
>> Authtype shibboleth
>>
>> ShibRequireSession off
>>
>> Require shibboleth
>>
>>
>>
>> So when I select the configured SSO option in the VCL login, I get
>> redirected to my identity provider and it gets redirected back to the /vcl
>> webpage but it doesn’t log in.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> *From:* Mike Jennings <gm...@ncsu.edu>
>> *Sent:* Monday, September 14, 2020 11:17 AM
>> *To:* user@vcl.apache.org
>> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
>> Authentication
>> *Importance:* Low
>>
>>
>>
>> Martinez,
>>
>>
>>
>> Sorry I am a little late to the game here.
>>
>>
>>
>> It has been a long time since I have worked with a Shibboleth SP.
>>
>>
>>
>> I am currently assuming that you have setup the Shibboleth SP on a Apache
>> HTTPS server.
>>
>>
>>
>> I am assuming that you can do the initial test correctly
>>
>>
>>
>> You can test to ensure that the SP is running properly and the
>> surrounding environment is correct by accessing
>> https://localhost/Shibboleth.sso/Status *from the actual web server
>> machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK
>> by default. If this test is successful, then the software is ready for
>> further configuration.
>>
>> You can also access the Status handler from other clients or using a
>> non-localhost name, but *only* if you change the acl parameter in the
>> configuration to permit your client address or remove it entirely to open
>> up access to anybody. The ACL is present by default because the Status
>> handler can return some arguably sensitive information about your
>> configuration.
>>
>>
>>
>>
>>
>> You have the attribute-map.xml configured correctly. You might need to
>> contact the Shibboleth IdP Administrator to verify he is releasing
>> attributes to your sp and what values need to be modified in that file.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Mike Jennings
>>
>>
>>
>> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <
>> AMARTINEZ@hostos.cuny.edu> wrote:
>>
>> Hi Josh,
>>
>> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
>> $_SERVER array. There is no other Shibboleth related entry other than the
>> shib session string HTTP_COOKIE.
>>
>> Not sure how to correct this. How can the required entry be made to be
>> included in the array?
>>
>> Thanks
>>
>> On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Ariel,
>>
>> Toward the top of initGlobals in utils.php, there is a small block of code
>> that tests conditions for each authentication method if the user is not
>> logged
>> in, and if that authentication method's test function returns true, it
>> will
>> then call that authentication method's authentication function. It's the
>> "else" block that starts on line 176 of the 2.5.1 release.
>>
>> The shibauth.php module uses testShibAuth as the test function. All it
>> does
>> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it
>> will
>> not attempt to authenticate the user using Shibboleth. An easy way to
>> test
>> this is to temporarily put a file in the same directory as the main VCL
>> index.php directory that just has this in it:
>>
>> <?php
>> print "<pre>\n";
>> print_r($_SERVER);
>> print "</pre>\n";
>> ?>
>>
>> Don't leave the file in there beyond the testing since it can disclose
>> various
>> information about your system.
>>
>> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found
>> your
>> problem. If your Shibboleth configuration is using something different
>> than
>> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>>
>> The VCL php code doesn't log anywhere other than where php errors would be
>> going. Look in to configuring php errors for httpd to get that set up.
>> My
>> experience has been that systems generally don't log php errors anywhere
>> by
>> default.
>>
>> Josh
>>
>> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
>> > I have been looking further into the shibauth.php file to see what is
>> > supposed to happen when a shibboleth login happens. For starters, it
>> > creates an affiliation in the affiliation table if it does not find one
>> > from the attributes received from the identity provider. However it
>> doesn't
>> > seem to be executing that code. It at the very least should have
>> generated
>> > an error message when trying to automatically create an affiliation if
>> it
>> > failed.
>> >
>> > Is there any way to troubleshoot shibauth.php to see what is happening?
>> Or
>> > is this particular function logged somewhere in particular?
>> >
>> > Thanks.
>> >
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Sunday, August 30, 2020 1:11 PM
>> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > I don't know what else to really try because as far as Shibboleth is
>> > concerned, it appears to be working. So I went to the
>> > /Shibboleth.sso/Session URL after logging in and the following is
>> > displayed, I replaced some values that should not be public:
>> >
>> > Miscellaneous
>> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
>> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
>> Identity
>> > Provider: (idp entity ID)
>> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
>> Class:
>> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>> > Authentication Context Decl: (none)
>> >
>> > Attributes
>> > affiliation: member@domain.com
>> > eppn: USER@domain.com;user@domain.com
>> > upn: USER@domain.com
>> >
>> >
>> > Unless eppn should not have two values, as far as I can tell, the proper
>> > values required by VCL are present. In the VCL database affiliation
>> table,
>> > I have populated an existing VCL Affiliation that is configured to use
>> LDAP
>> > with the domain.com value under shibname. I also tried creating a new
>> > affiliation setting shibonly to 1
>> >
>> > I still get the same behavior where, after selecting the Shibboleth
>> > authentication method and signing in at my idp, it gets redirected back
>> to
>> > the /vcl directory to choose an authentication method.
>> >
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Thursday, August 27, 2020 3:00 PM
>> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > After login nothing is happening still. So I moved the test.php file
>> from
>> > the old Shibboleth instructions to my main VCL directory and set the
>> > conf.php file to redirect to this file after login and the attributes
>> are
>> > all undefined.
>> >
>> > Is this sufficient to say with a high level of certainty that my IDP is
>> not
>> > sending VCL what it is expecting? Or is the test.php not meant to work
>> that
>> > way?
>> >
>> > Thanks
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Wednesday, August 26, 2020 11:14 AM
>> > To: user@vcl.apache.org
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > Hi Josh,
>> >
>> > Last question before I try again, there is no shibboleth affiliation in
>> my
>> > VCL database. So should I be creating a new affiliation for shibboleth
>> and
>> > populating the shibname field, or should I use the existing LDAP
>> configured
>> > affiliation and populate its shibname field?
>> >
>> > Thanks
>> >
>> > -----Original Message-----
>> > From: Josh Thompson <jo...@ncsu.edu>
>> > Sent: Wednesday, August 26, 2020 11:04 AM
>> > To: user@vcl.apache.org
>> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>>
>> - --
>> - -------------------------------
>> Josh Thompson
>> VCL Developer
>> North Carolina State University
>>
>> my GPG/PGP key can be found on pool.sks-keyservers.net
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>> -----BEGIN PGP SIGNATURE-----
>>
>> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
>> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
>> =jMJR
>> -----END PGP SIGNATURE-----
>>
>>
>>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I think I might have figured out the issue. Undefined offset: 5 seems to refer that element 5 in the array does not exist. So I looked at the tmparr[] in authentication.php and to confirm, I output to the error log the value of tmparr[4] and tmparr[5], 4 is correct, and 5 is empty. The array is only of size 4.
I changed the code that sets $shibauthed to $tmparr[4], and everything seems to be working now.
if(count($tmparr) > 4) {
$shibauthed = $tmparr[4];
I am not sure if this would affect anything else, or if this is just a specific error in our setup, but hopefully this narrows things down considerably for your review.
Thanks
________________________________________
From: MARTINEZ, ARIEL
Sent: Wednesday, September 30, 2020 5:22 PM
To: Josh Thompson
Cc: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
Thanks for that, I was able to get the log information, in short, yes, variables from line 94 are being output to the log:
Sep 30 17:13:13 hccVCLWeb01 shibboleth: tmp: >amartinez@HOSTOSCUNY|10.32.14.218|1601536222|shibboleth|11<
Sep 30 17:13:13 hccVCLWeb01 shibboleth: PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 111
Sep 30 17:13:13 hccVCLWeb01 shibboleth: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1#012SELECT ts FROM shibauth WHERE id = #012ERROR(101): General MySQL error#012Mode was viewRequests#012#012#012Backtrace:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => index.php:initGlobals() (line#:60)#012Call#:2 => utils.php:readAuthCookie() (line#:172)#012Call#:3 => authentication.php:doQuery() (line#:115)#012#012Backtrace with Arguments:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => index.php:initGlobals() (line#:60)#012Arguments(none):#012-----------------------#012Call#:2 => utils.php:readAuthCookie() (line#:172)#012Arguments(none):#012-----------------------#012Call#:3 => authentication.php:doQuery() (line#:115)#012Arguments(2)#012#012Argument#: 1 => SELECT ts FROM shibauth WHERE id = #012Argument#: 2 => 101#012-----------------------
Sep 30 17:13:13 hccVCLWeb01 shibboleth: PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234
________________________________________
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, September 30, 2020 12:42 PM
To: MARTINEZ, ARIEL
Cc: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Ariel,
Sorry, I assumed the errors you included before were from a php error log. By
default, I think logging of errors is off. You'll need to modify php.ini to
enable logging. Modify /etc/php.ini and configure it to log to syslog.
You'll also need to ensure log_errors is set to On.
log_errors = On
error_log = syslog
httpd will need to be restarted after saving the changes to php.ini
Josh
On Tuesday, September 29, 2020 5:08:55 PM EDT you wrote:
> Hi Josh,
>
> I added the line but could not find where php would be logging the errors.
> It wasn't inside of /var/log/httpd and I didn't find anything php specific
> outside. In a default installation, where would this be logged to?
> I checked Shib_Session_ID after the error and it is populated.
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Tuesday, September 29, 2020 4:28 PM
> To: user@vcl.apache.org
> Cc: MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
--
-------------------------------
Josh Thompson
Systems Programmer
Virtual Computing Lab (VCL)
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
Thanks for that, I was able to get the log information, in short, yes, variables from line 94 are being output to the log:
Sep 30 17:13:13 hccVCLWeb01 shibboleth: tmp: >amartinez@HOSTOSCUNY|10.32.14.218|1601536222|shibboleth|11<
Sep 30 17:13:13 hccVCLWeb01 shibboleth: PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 111
Sep 30 17:13:13 hccVCLWeb01 shibboleth: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1#012SELECT ts FROM shibauth WHERE id = #012ERROR(101): General MySQL error#012Mode was viewRequests#012#012#012Backtrace:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => index.php:initGlobals() (line#:60)#012Call#:2 => utils.php:readAuthCookie() (line#:172)#012Call#:3 => authentication.php:doQuery() (line#:115)#012#012Backtrace with Arguments:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => index.php:initGlobals() (line#:60)#012Arguments(none):#012-----------------------#012Call#:2 => utils.php:readAuthCookie() (line#:172)#012Arguments(none):#012-----------------------#012Call#:3 => authentication.php:doQuery() (line#:115)#012Arguments(2)#012#012Argument#: 1 => SELECT ts FROM shibauth WHERE id = #012Argument#: 2 => 101#012-----------------------
Sep 30 17:13:13 hccVCLWeb01 shibboleth: PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234
________________________________________
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, September 30, 2020 12:42 PM
To: MARTINEZ, ARIEL
Cc: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Ariel,
Sorry, I assumed the errors you included before were from a php error log. By
default, I think logging of errors is off. You'll need to modify php.ini to
enable logging. Modify /etc/php.ini and configure it to log to syslog.
You'll also need to ensure log_errors is set to On.
log_errors = On
error_log = syslog
httpd will need to be restarted after saving the changes to php.ini
Josh
On Tuesday, September 29, 2020 5:08:55 PM EDT you wrote:
> Hi Josh,
>
> I added the line but could not find where php would be logging the errors.
> It wasn't inside of /var/log/httpd and I didn't find anything php specific
> outside. In a default installation, where would this be logged to?
> I checked Shib_Session_ID after the error and it is populated.
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Tuesday, September 29, 2020 4:28 PM
> To: user@vcl.apache.org
> Cc: MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
--
-------------------------------
Josh Thompson
Systems Programmer
Virtual Computing Lab (VCL)
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
Hi Ariel,
Sorry, I assumed the errors you included before were from a php error log. By
default, I think logging of errors is off. You'll need to modify php.ini to
enable logging. Modify /etc/php.ini and configure it to log to syslog.
You'll also need to ensure log_errors is set to On.
log_errors = On
error_log = syslog
httpd will need to be restarted after saving the changes to php.ini
Josh
On Tuesday, September 29, 2020 5:08:55 PM EDT you wrote:
> Hi Josh,
>
> I added the line but could not find where php would be logging the errors.
> It wasn't inside of /var/log/httpd and I didn't find anything php specific
> outside. In a default installation, where would this be logged to?
> I checked Shib_Session_ID after the error and it is populated.
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Tuesday, September 29, 2020 4:28 PM
> To: user@vcl.apache.org
> Cc: MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
--
-------------------------------
Josh Thompson
Systems Programmer
Virtual Computing Lab (VCL)
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
I added the line but could not find where php would be logging the errors. It wasn't inside of /var/log/httpd and I didn't find anything php specific outside. In a default installation, where would this be logged to?
I checked Shib_Session_ID after the error and it is populated.
Thanks
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Tuesday, September 29, 2020 4:28 PM
To: user@vcl.apache.org
Cc: MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
The fact that you can go through the authentication and get back to VCL logged in means the Shibboleth authentication part is at least mostly working.
Can you log out of VCL and then ensure the VCLAUTH cookie has been deleted?
Then, in authentication.php, after line 94 which should be:
# $loginid|$remoteIP|$ts|$authtype|$shibauthid (shibauthd optional)
add
error_log("tmp: >{$tmp}<");
Next, log in and click on somewhere that is giving an error. Finally, check your php error log to see what the value of $tmp was. The >< characters are just to provide some visual delimiters in the log file so you know if any whitespace was included at the beginning or end. $tmp should be the values associated with the variables listed from line 94 listed above. It sounds like there's a problem with $shibauthid.
$shibauthid is related to a record inserted into the database that also includes a value from $_SERVER['Shib-Session-ID']. Can you tell if Shib- Session-ID is available in $_SERVER?
Josh
On Friday, September 25, 2020 12:39:03 PM EDT MARTINEZ, ARIEL wrote:
> I think I confused SHIB_AFFILIATION with AD groups. But I have now
> confirmed that the SHIB_AFFILIATION is being populated from my idp. I
> logged in locally to VCL and I saw it created an allusers group and a
> shib-member group, and the account I used to log in is a member of it.
> I gave it the same permissions as my AD group from the LDAP
> configuration and proceeded to test again. But I am still getting an error page after I log in.
>
>
> This time the httpd ssl_error_log logged the following, and no longer
> refers to shib affiliation:
>
>
> [Fri Sep 25 12:32:23.943499 2020] [:error] [pid 8232] [client
> 10.32.14.218:52076] PHP Notice: Undefined offset: 5 in
> /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Fri Sep 25 12:32:23.944325 2020]
> [:error] [pid 8232] [client 10.32.14.218:52076] You have an error in
> your SQL syntax; check the manual that corresponds to your MariaDB
> server version for the right syntax to use near '' at line 1\nSELECT
> ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode
> was
> viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 =>
> index.php:initGlobals() (line#:60)\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nCall#:3 => authentication.php:doQuery()
> (line#:114)\n\nBacktrace with
> Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1
> => index.php:initGlobals()
> (line#:60)\nArguments(none):\n-----------------------\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nArguments(none):\n-----------------------\nCall#:3 =>
> authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1
> => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 =>
> 101\n-----------------------\n, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Fri Sep 25 12:32:24.012667 2020]
> [:error] [pid 8232] [client 10.32.14.218:52076] PHP Fatal error: Call
> to undefined function
> getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line
> 14234,
> referer: https://vcl.hostos.cuny.edu/vcl/
>
> ________________________________
> From: MARTINEZ, ARIEL
> Sent: Thursday, September 24, 2020 3:29 PM
> To: user@vcl.apache.org
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
> Hi Mike,
>
> Just to understand better, I intend to use Active Directory groups to
> handle permissions in VCL. I already have some defined in a VCL
> affiliation that is configured for LDAP. How would I go about
> configuring the same via the Shibboleth login? Would I need to add
> SHIB_AFFILIATION values into the VCL configuration?
>
> I was trying to just use the ldap memberof attribute and transform the
> claim in my idp to SHIB_AFFILIATION, but I’m not sure if that is what
> VCL requires or is expecting, as each of our users would have multiple values.
>
> Thanks
>
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Thursday, September 24, 2020 2:53 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
> Importance: Low
>
> You will need to go into your attribute map and change affiliation to
> shib_affiliation like you did for shib_eppn. This should make the
> attributes map correctly.
>
> Mike
>
> On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu>> wrote: I
> have more troubleshooting information that may help. In shib.conf, I
> created a location block as follows:
>
>
> <Location /vcl>
> AuthType shibboleth
> ShibRequestSetting requireSession false
> require shibboleth
> </Location>
>
>
> Doing so allows me to log into VCL, but when I click on any of the
> menu items I get a VCL error page: " An error has occured. If this
> problem persists, please email
> vcl_help@example.org<ma...@example.org>
> for further assistance. Please include the steps you took that led up
> to this problem in your email message."
>
>
>
> In the ssl_error_log inside of /var/log/httpd I see the following,
> which the first error is "undefined index: SHIB_AFFILIATION". I
> checked the affiliation database and it did create an entry on its own.
>
>
>
>
> [Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client
> 10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice: Undefined
> index: SHIB_AFFILIATION in
> /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180,
> referer: https://login.hostos.cuny.edu/ [Thu Sep 24 13:21:15.542646
> 2020] [:error] [pid 15820] [client
> 10.32.14.218:56406<http://10.32.14.218:56406>]
> PHP Notice: Undefined offset: 5 in
> /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Thu Sep 24 13:21:15.543446 2020]
> [:error] [pid 15820] [client
> 10.32.14.218:56406<http://10.32.14.218:56406>] You have an error in
> your SQL syntax; check the manual that corresponds to your MariaDB
> server version for the right syntax to use near '' at line 1\nSELECT
> ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode
> was
> viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 =>
> index.php:initGlobals() (line#:60)\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nCall#:3 => authentication.php:doQuery()
> (line#:114)\n\nBacktrace with
> Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1
> => index.php:initGlobals()
> (line#:60)\nArguments(none):\n-----------------------\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nArguments(none):\n-----------------------\nCall#:3 =>
> authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1
> => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 =>
> 101\n-----------------------\n, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Thu Sep 24 13:21:15.610025 2020]
> [:error] [pid 15820] [client
> 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error: Call
> to undefined function getFooter() in
> /var/www/html/vcl-2.5.1/.ht-inc/utils.php
> on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
>
>
> ________________________________
> From: MARTINEZ, ARIEL
> Sent: Thursday, September 24, 2020 11:36 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
> I finally got Shibboleth to work properly on the default /secure
> directory, and the Shibboleth attributes in $_SERVER are now present,
> including SHIB_EPPN. However, after authenticating, I am still getting
> back to the VCL login page.
>
> I double checked the httpd.conf and shib.conf for any other blocks
> that may be enforcing Shibboleth and the only one is in .htaccess in
> the /vcl directory with the following lines:
>
> AuthType shibboleth
> ShibRequireSession Off
> require shibboleth
>
> In the affiliation database I set the shibname back to null on an
> exsiting affiliation, so everything is back to default settings per se.
>
>
> Should I retry the shibboleth instructions using the /shibauth
> directory or do you think I should try something else?
>
> Thanks
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
> Sent: Monday, September 14, 2020 6:21 PM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
> Importance: Low
>
>
> You might want to look at this documentation
>
> Mike
>
> https://wiki.shibboleth.net/confluence/display/SP3/ADFS
>
>
>
> On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>>> wrote:
> The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so
> I attached a copy replacing values with MYDOMAIN
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 5:59 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache
> .org<
> mailto:user@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
>
>
> Can you tell me what your RequestMap section looks like in your
> shibboleth2.xml file
>
>
>
> On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu.ed
> u><mai lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>> wrote:
>
> Nope you should not....
>
>
>
> Are you running a shibboleth idp or a adfs
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ
> @hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.c
> uny.ed u<ma...@hostos.cuny.edu>>>> wrote:
>
> Tried that, but same result.
>
>
>
> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName”
> be changed to SHIB_EPPN as well?
>
>
>
> Thanks
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu.ed
> u><mai lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 5:14 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache
> .org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vc
> l.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
> Importance: Low
>
>
>
> try setting ShibRequireSession On
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ
> @hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.c
> uny.ed u<ma...@hostos.cuny.edu>>>> wrote:
>
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name
> after updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu.ed
> u><mai lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 5:02 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache
> .org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vc
> l.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
> Importance: Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me,
> change the eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ
> @hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.c
> uny.ed u<ma...@hostos.cuny.edu>>>> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php
> file in the vcl directory and it prints out many variables except for
> anything related to Shibboleth. I've attached the attribute-map.xml file.
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu.ed
> u><mai lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 4:46 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache
> .org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vc
> l.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
>
>
> Have you looked for any errors in the shibd.log or the
> transaction.logs of the shibboleth service provider.
>
>
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
>
>
> <?php print_r($_SERVER) ?>
>
>
>
> and what does that print out
>
>
>
> Also can you send me a copy of your attribute-map.xml file
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ
> @hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.c
> uny.ed
> u<ma...@hostos.cuny.edu>>><mailto:AMARTINEZ@hostos.cuny.edu
> <mailt
> o:AMARTINEZ@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:A
> MARTIN
> EZ@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ
> @hosto
> s.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hostos.c
> uny.ed
> u>>>>> wrote:
>
> Hi Mike,
>
>
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that
> the Shibboleth SP appears to be running correctly. I can see eppn,
> mail and displayname (haven’t included affiliation) in the session
> after authenticating.
>
>
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of
> this, the authentication in VCL is not working.
>
>
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
>
>
> Authtype shibboleth
>
> ShibRequireSession off
>
> Require shibboleth
>
>
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the
> /vcl webpage but it doesn’t log in.
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<
> mailt
> o:gmjennin@ncsu.edu>><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu.ed
> u><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>><mailto:gmjennin@ncsu
> .edu<m
> ailto:gmjennin@ncsu.edu><mailto:gmjennin@ncsu.edu<mailto:gmjennin@ncsu
> .edu>>
> <ma...@ncsu.edu><mailto:gmjennin@nc
> su.edu
> <ma...@ncsu.edu>>>>>
>
> Sent: Monday, September 14, 2020 11:17 AM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache
> .org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vc
> l.apac
> he.org><ma...@vcl.apache.org>>><mailt
> o:user
> @vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <mailt
> o:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apa
> che.or
> g><ma...@vcl.apache.org>>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
> Authentication
>
> Importance: Low
>
>
>
> Martinez,
>
>
>
> Sorry I am a little late to the game here.
>
>
>
> It has been a long time since I have worked with a Shibboleth SP.
>
>
>
> I am currently assuming that you have setup the Shibboleth SP on a
> Apache HTTPS server.
>
>
>
> I am assuming that you can do the initial test correctly
>
>
>
>
>
> You can test to ensure that the SP is running properly and the
> surrounding environment is correct by accessing
> https://localhost/Shibboleth.sso/Status
> from the actual web server machine. You MUST use "localhost" as the
> hostname or it WILL NOT WORK by default. If this test is successful,
> then the software is ready for further configuration.
>
>
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to
> open up access to anybody. The ACL is present by default because the
> Status handler can return some arguably sensitive information about
> your configuration.
>
>
>
>
>
> You have the attribute-map.xml configured correctly. You might need
> to contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
>
>
> Thanks,
>
>
>
> Mike Jennings
>
>
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AM
> ARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ
> @hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.c
> uny.ed
> u<ma...@hostos.cuny.edu>>><mailto:AMARTINEZ@hostos.cuny.edu
> <mailt
> o:AMARTINEZ@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:A
> MARTIN
> EZ@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ
> @hosto
> s.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hostos.c
> uny.ed
> u>>>>> wrote:
>
> Hi Josh,
>
>
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in
> the $_SERVER array. There is no other Shibboleth related entry other
> than the shib session string HTTP_COOKIE.
>
>
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
>
>
> Thanks
>
>
>
> On Sep 11, 2020 5:39 PM, Josh Thompson
> <jo...@ncsu.edu><mailto:josh_tho
> mpson
> @ncsu.edu<ma...@ncsu.edu>><mailto:josh_thompson@ncsu.ed
> u<mail
> to:josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:josh_t
> hompso
> n@ncsu.edu>>><mailto:josh_thompson@ncsu.edu<mailto:josh_thompson@ncsu.
> edu><m
> ailto:josh_thompson@ncsu.edu<ma...@ncsu.edu>><mailto:jo
> sh_tho
> mpson@ncsu.edu<ma...@ncsu.edu><mailto:josh_thompson@ncs
> u.edu< mailto:josh_thompson@ncsu.edu>>>>> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX3OYvQAKCRBX8tBw1209
A6/JAJ9gNUAsT+3r0Js5ktrs+vSdj4bDPACcDqGqN2g6gk/2I40ecQISFni5oHE=
=BVsy
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
The fact that you can go through the authentication and get back to VCL logged
in means the Shibboleth authentication part is at least mostly working.
Can you log out of VCL and then ensure the VCLAUTH cookie has been deleted?
Then, in authentication.php, after line 94 which should be:
# $loginid|$remoteIP|$ts|$authtype|$shibauthid (shibauthd optional)
add
error_log("tmp: >{$tmp}<");
Next, log in and click on somewhere that is giving an error. Finally, check
your php error log to see what the value of $tmp was. The >< characters are
just to provide some visual delimiters in the log file so you know if any
whitespace was included at the beginning or end. $tmp should be the values
associated with the variables listed from line 94 listed above. It sounds
like there's a problem with $shibauthid.
$shibauthid is related to a record inserted into the database that also
includes a value from $_SERVER['Shib-Session-ID']. Can you tell if Shib-
Session-ID is available in $_SERVER?
Josh
On Friday, September 25, 2020 12:39:03 PM EDT MARTINEZ, ARIEL wrote:
> I think I confused SHIB_AFFILIATION with AD groups. But I have now confirmed
> that the SHIB_AFFILIATION is being populated from my idp. I logged in
> locally to VCL and I saw it created an allusers group and a shib-member
> group, and the account I used to log in is a member of it. I gave it the
> same permissions as my AD group from the LDAP configuration and proceeded
> to test again. But I am still getting an error page after I log in.
>
>
> This time the httpd ssl_error_log logged the following, and no longer refers
> to shib affiliation:
>
>
> [Fri Sep 25 12:32:23.943499 2020] [:error] [pid 8232] [client
> 10.32.14.218:52076] PHP Notice: Undefined offset: 5 in
> /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Fri Sep 25 12:32:23.944325 2020] [:error]
> [pid 8232] [client 10.32.14.218:52076] You have an error in your SQL
> syntax; check the manual that corresponds to your MariaDB server version
> for the right syntax to use near '' at line 1\nSELECT ts FROM shibauth
> WHERE id = \nERROR(101): General MySQL error\nMode was
> viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 =>
> index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie()
> (line#:172)\nCall#:3 => authentication.php:doQuery()
> (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1
> => index.php:initGlobals()
> (line#:60)\nArguments(none):\n-----------------------\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nArguments(none):\n-----------------------\nCall#:3 =>
> authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 =>
> SELECT ts FROM shibauth WHERE id = \nArgument#: 2 =>
> 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
> [Fri Sep 25 12:32:24.012667 2020] [:error] [pid 8232] [client
> 10.32.14.218:52076] PHP Fatal error: Call to undefined function
> getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234,
> referer: https://vcl.hostos.cuny.edu/vcl/
>
> ________________________________
> From: MARTINEZ, ARIEL
> Sent: Thursday, September 24, 2020 3:29 PM
> To: user@vcl.apache.org
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Mike,
>
> Just to understand better, I intend to use Active Directory groups to handle
> permissions in VCL. I already have some defined in a VCL affiliation that
> is configured for LDAP. How would I go about configuring the same via the
> Shibboleth login? Would I need to add SHIB_AFFILIATION values into the VCL
> configuration?
>
> I was trying to just use the ldap memberof attribute and transform the claim
> in my idp to SHIB_AFFILIATION, but I’m not sure if that is what VCL
> requires or is expecting, as each of our users would have multiple values.
>
> Thanks
>
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Thursday, September 24, 2020 2:53 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
> You will need to go into your attribute map and change affiliation to
> shib_affiliation like you did for shib_eppn. This should make the
> attributes map correctly.
>
> Mike
>
> On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu>> wrote: I have
> more troubleshooting information that may help. In shib.conf, I created a
> location block as follows:
>
>
> <Location /vcl>
> AuthType shibboleth
> ShibRequestSetting requireSession false
> require shibboleth
> </Location>
>
>
> Doing so allows me to log into VCL, but when I click on any of the menu
> items I get a VCL error page: " An error has occured. If this problem
> persists, please email vcl_help@example.org<ma...@example.org>
> for further assistance. Please include the steps you took that led up to
> this problem in your email message."
>
>
>
> In the ssl_error_log inside of /var/log/httpd I see the following, which the
> first error is "undefined index: SHIB_AFFILIATION". I checked the
> affiliation database and it did create an entry on its own.
>
>
>
>
> [Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client
> 10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice: Undefined
> index: SHIB_AFFILIATION in
> /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180,
> referer: https://login.hostos.cuny.edu/ [Thu Sep 24 13:21:15.542646 2020]
> [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>]
> PHP Notice: Undefined offset: 5 in
> /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer:
> https://vcl.hostos.cuny.edu/vcl/ [Thu Sep 24 13:21:15.543446 2020] [:error]
> [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] You have
> an error in your SQL syntax; check the manual that corresponds to your
> MariaDB server version for the right syntax to use near '' at line
> 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): General MySQL
> error\nMode was
> viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 =>
> index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie()
> (line#:172)\nCall#:3 => authentication.php:doQuery()
> (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1
> => index.php:initGlobals()
> (line#:60)\nArguments(none):\n-----------------------\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nArguments(none):\n-----------------------\nCall#:3 =>
> authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 =>
> SELECT ts FROM shibauth WHERE id = \nArgument#: 2 =>
> 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
> [Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client
> 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error: Call to
> undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php
> on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
>
>
> ________________________________
> From: MARTINEZ, ARIEL
> Sent: Thursday, September 24, 2020 11:36 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I finally got Shibboleth to work properly on the default /secure directory,
> and the Shibboleth attributes in $_SERVER are now present, including
> SHIB_EPPN. However, after authenticating, I am still getting back to the
> VCL login page.
>
> I double checked the httpd.conf and shib.conf for any other blocks that may
> be enforcing Shibboleth and the only one is in .htaccess in the /vcl
> directory with the following lines:
>
> AuthType shibboleth
> ShibRequireSession Off
> require shibboleth
>
> In the affiliation database I set the shibname back to null on an exsiting
> affiliation, so everything is back to default settings per se.
>
>
> Should I retry the shibboleth instructions using the /shibauth directory or
> do you think I should try something else?
>
> Thanks
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
> Sent: Monday, September 14, 2020 6:21 PM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
>
> You might want to look at this documentation
>
> Mike
>
> https://wiki.shibboleth.net/confluence/display/SP3/ADFS
>
>
>
> On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>>> wrote: The idp is
> ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a
> copy replacing values with MYDOMAIN
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 5:59 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<
> mailto:user@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Can you tell me what your RequestMap section looks like in your
> shibboleth2.xml file
>
>
>
> On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>><ma...@ncsu.edu><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>> wrote:
>
> Nope you should not....
>
>
>
> Are you running a shibboleth idp or a adfs
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.ed
> u<ma...@hostos.cuny.edu>>>> wrote:
>
> Tried that, but same result.
>
>
>
> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be
> changed to SHIB_EPPN as well?
>
>
>
> Thanks
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>><ma...@ncsu.edu><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 5:14 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> try setting ShibRequireSession On
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.ed
> u<ma...@hostos.cuny.edu>>>> wrote:
>
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
> updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>><ma...@ncsu.edu><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 5:02 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me, change the
> eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.ed
> u<ma...@hostos.cuny.edu>>>> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no errors
> that would give a clue to what is happening. I have a test.php file in the
> vcl directory and it prints out many variables except for anything related
> to Shibboleth. I've attached the attribute-map.xml file.
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>><ma...@ncsu.edu><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 4:46 PM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apac
> he.org><ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
>
>
> Also have you tried to add a php file to dump the data in the vcl directory
> that contains
>
>
>
> <?php print_r($_SERVER) ?>
>
>
>
> and what does that print out
>
>
>
> Also can you send me a copy of your attribute-map.xml file
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.ed
> u<ma...@hostos.cuny.edu>>><mailto:AMARTINEZ@hostos.cuny.edu<mailt
> o:AMARTINEZ@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTIN
> EZ@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hosto
> s.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hostos.cuny.ed
> u>>>>> wrote:
>
> Hi Mike,
>
>
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
>
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
>
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
>
>
> Authtype shibboleth
>
> ShibRequireSession off
>
> Require shibboleth
>
>
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings
> <gm...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailt
> o:gmjennin@ncsu.edu>><ma...@ncsu.edu><mai
> lto:gmjennin@ncsu.edu<ma...@ncsu.edu>>><mailto:gmjennin@ncsu.edu<m
> ailto:gmjennin@ncsu.edu><ma...@ncsu.edu>>
> <ma...@ncsu.edu><mailto:gmjennin@ncsu.edu
> <ma...@ncsu.edu>>>>>
>
> Sent: Monday, September 14, 2020 11:17 AM
>
> To:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<
> mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apac
> he.org><ma...@vcl.apache.org>>><mailto:user
> @vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org<mailt
> o:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.or
> g><ma...@vcl.apache.org>>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Martinez,
>
>
>
> Sorry I am a little late to the game here.
>
>
>
> It has been a long time since I have worked with a Shibboleth SP.
>
>
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
>
>
> I am assuming that you can do the initial test correctly
>
>
>
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing https://localhost/Shibboleth.sso/Status
> from the actual web server machine. You MUST use "localhost" as the
> hostname or it WILL NOT WORK by default. If this test is successful, then
> the software is ready for further configuration.
>
>
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
>
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
>
>
> Thanks,
>
>
>
> Mike Jennings
>
>
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL
> <AM...@hostos.cuny.edu><mailto:AMARTIN
> EZ@hostos.cuny.edu<ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hosto
> s.cuny.edu<ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.ed
> u<ma...@hostos.cuny.edu>>><mailto:AMARTINEZ@hostos.cuny.edu<mailt
> o:AMARTINEZ@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTIN
> EZ@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hosto
> s.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu<mailto:AMARTINEZ@hostos.cuny.ed
> u>>>>> wrote:
>
> Hi Josh,
>
>
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
>
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
>
>
> Thanks
>
>
>
> On Sep 11, 2020 5:39 PM, Josh Thompson
> <jo...@ncsu.edu><mailto:josh_thompson
> @ncsu.edu<ma...@ncsu.edu>><mailto:josh_thompson@ncsu.edu<mail
> to:josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:josh_thompso
> n@ncsu.edu>>><ma...@ncsu.edu><m
> ailto:josh_thompson@ncsu.edu<ma...@ncsu.edu>><mailto:josh_tho
> mpson@ncsu.edu<ma...@ncsu.edu><mailto:josh_thompson@ncsu.edu<
> mailto:josh_thompson@ncsu.edu>>>>> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX3OYvQAKCRBX8tBw1209
A6/JAJ9gNUAsT+3r0Js5ktrs+vSdj4bDPACcDqGqN2g6gk/2I40ecQISFni5oHE=
=BVsy
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I think I confused SHIB_AFFILIATION with AD groups. But I have now confirmed that the SHIB_AFFILIATION is being populated from my idp. I logged in locally to VCL and I saw it created an allusers group and a shib-member group, and the account I used to log in is a member of it. I gave it the same permissions as my AD group from the LDAP configuration and proceeded to test again. But I am still getting an error page after I log in.
This time the httpd ssl_error_log logged the following, and no longer refers to shib affiliation:
[Fri Sep 25 12:32:23.943499 2020] [:error] [pid 8232] [client 10.32.14.218:52076] PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: https://vcl.hostos.cuny.edu/vcl/
[Fri Sep 25 12:32:23.944325 2020] [:error] [pid 8232] [client 10.32.14.218:52076] You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode was viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nCall#:3 => authentication.php:doQuery() (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
[Fri Sep 25 12:32:24.012667 2020] [:error] [pid 8232] [client 10.32.14.218:52076] PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
________________________________
From: MARTINEZ, ARIEL
Sent: Thursday, September 24, 2020 3:29 PM
To: user@vcl.apache.org
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Mike,
Just to understand better, I intend to use Active Directory groups to handle permissions in VCL. I already have some defined in a VCL affiliation that is configured for LDAP. How would I go about configuring the same via the Shibboleth login? Would I need to add SHIB_AFFILIATION values into the VCL configuration?
I was trying to just use the ldap memberof attribute and transform the claim in my idp to SHIB_AFFILIATION, but I’m not sure if that is what VCL requires or is expecting, as each of our users would have multiple values.
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Thursday, September 24, 2020 2:53 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You will need to go into your attribute map and change affiliation to shib_affiliation like you did for shib_eppn. This should make the attributes map correctly.
Mike
On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
I have more troubleshooting information that may help. In shib.conf, I created a location block as follows:
<Location /vcl>
AuthType shibboleth
ShibRequestSetting requireSession false
require shibboleth
</Location>
Doing so allows me to log into VCL, but when I click on any of the menu items I get a VCL error page: " An error has occured. If this problem persists, please email vcl_help@example.org<ma...@example.org> for further assistance. Please include the steps you took that led up to this problem in your email message."
In the ssl_error_log inside of /var/log/httpd I see the following, which the first error is "undefined index: SHIB_AFFILIATION". I checked the affiliation database and it did create an entry on its own.
[Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client 10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice: Undefined index: SHIB_AFFILIATION in /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180, referer: https://login.hostos.cuny.edu/
[Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode was viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nCall#:3 => authentication.php:doQuery() (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
________________________________
From: MARTINEZ, ARIEL
Sent: Thursday, September 24, 2020 11:36 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
I finally got Shibboleth to work properly on the default /secure directory, and the Shibboleth attributes in $_SERVER are now present, including SHIB_EPPN. However, after authenticating, I am still getting back to the VCL login page.
I double checked the httpd.conf and shib.conf for any other blocks that may be enforcing Shibboleth and the only one is in .htaccess in the /vcl directory with the following lines:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
In the affiliation database I set the shibname back to null on an exsiting affiliation, so everything is back to default settings per se.
Should I retry the shibboleth instructions using the /shibauth directory or do you think I should try something else?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>>>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>>' <us...@vcl.apache.org>>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>>>
> eppn: USER@domain.com<ma...@domain.com>>>>
> upn: USER@domain.com<ma...@domain.com>>>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com><http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>>' <us...@vcl.apache.org>>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Mike,
Just to understand better, I intend to use Active Directory groups to handle permissions in VCL. I already have some defined in a VCL affiliation that is configured for LDAP. How would I go about configuring the same via the Shibboleth login? Would I need to add SHIB_AFFILIATION values into the VCL configuration?
I was trying to just use the ldap memberof attribute and transform the claim in my idp to SHIB_AFFILIATION, but I’m not sure if that is what VCL requires or is expecting, as each of our users would have multiple values.
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Thursday, September 24, 2020 2:53 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You will need to go into your attribute map and change affiliation to shib_affiliation like you did for shib_eppn. This should make the attributes map correctly.
Mike
On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
I have more troubleshooting information that may help. In shib.conf, I created a location block as follows:
<Location /vcl>
AuthType shibboleth
ShibRequestSetting requireSession false
require shibboleth
</Location>
Doing so allows me to log into VCL, but when I click on any of the menu items I get a VCL error page: " An error has occured. If this problem persists, please email vcl_help@example.org<ma...@example.org> for further assistance. Please include the steps you took that led up to this problem in your email message."
In the ssl_error_log inside of /var/log/httpd I see the following, which the first error is "undefined index: SHIB_AFFILIATION". I checked the affiliation database and it did create an entry on its own.
[Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client 10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice: Undefined index: SHIB_AFFILIATION in /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180, referer: https://login.hostos.cuny.edu/
[Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode was viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nCall#:3 => authentication.php:doQuery() (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
________________________________
From: MARTINEZ, ARIEL
Sent: Thursday, September 24, 2020 11:36 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
I finally got Shibboleth to work properly on the default /secure directory, and the Shibboleth attributes in $_SERVER are now present, including SHIB_EPPN. However, after authenticating, I am still getting back to the VCL login page.
I double checked the httpd.conf and shib.conf for any other blocks that may be enforcing Shibboleth and the only one is in .htaccess in the /vcl directory with the following lines:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
In the affiliation database I set the shibname back to null on an exsiting affiliation, so everything is back to default settings per se.
Should I retry the shibboleth instructions using the /shibauth directory or do you think I should try something else?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>>>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>>' <us...@vcl.apache.org>>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>>>
> eppn: USER@domain.com<ma...@domain.com>>>>
> upn: USER@domain.com<ma...@domain.com>>>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com><http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>>' <us...@vcl.apache.org>>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
You will need to go into your attribute map and change affiliation to
shib_affiliation like you did for shib_eppn. This should make the
attributes map correctly.
Mike
On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> I have more troubleshooting information that may help. In shib.conf, I
> created a location block as follows:
>
>
> <Location /vcl>
> AuthType shibboleth
> ShibRequestSetting requireSession false
> require shibboleth
> </Location>
>
>
> Doing so allows me to log into VCL, but when I click on any of the menu
> items I get a VCL error page: " An error has occured. If this problem
> persists, please email vcl_help@example.org for further assistance.
> Please include the steps you took that led up to this problem in your email
> message."
>
>
>
> In the ssl_error_log inside of /var/log/httpd I see the following, which
> the first error is "undefined index: SHIB_AFFILIATION". I checked the
> affiliation database and it did create an entry on its own.
>
>
>
>
> [Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client
> 10.32.14.218:56400] PHP Notice: Undefined index: SHIB_AFFILIATION in
> /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180,
> referer: https://login.hostos.cuny.edu/
> [Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client
> 10.32.14.218:56406] PHP Notice: Undefined offset: 5 in
> /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer:
> https://vcl.hostos.cuny.edu/vcl/
> [Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client
> 10.32.14.218:56406] You have an error in your SQL syntax; check the
> manual that corresponds to your MariaDB server version for the right syntax
> to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101):
> General MySQL error\nMode was
> viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 =>
> index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie()
> (line#:172)\nCall#:3 => authentication.php:doQuery()
> (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1
> => index.php:initGlobals()
> (line#:60)\nArguments(none):\n-----------------------\nCall#:2 =>
> utils.php:readAuthCookie()
> (line#:172)\nArguments(none):\n-----------------------\nCall#:3 =>
> authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 =>
> SELECT ts FROM shibauth WHERE id = \nArgument#: 2 =>
> 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
> [Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client
> 10.32.14.218:56406] PHP Fatal error: Call to undefined function
> getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234,
> referer: https://vcl.hostos.cuny.edu/vcl/
>
>
> ________________________________
> From: MARTINEZ, ARIEL
> Sent: Thursday, September 24, 2020 11:36 AM
> To: user@vcl.apache.org
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I finally got Shibboleth to work properly on the default /secure
> directory, and the Shibboleth attributes in $_SERVER are now present,
> including SHIB_EPPN. However, after authenticating, I am still getting back
> to the VCL login page.
>
> I double checked the httpd.conf and shib.conf for any other blocks that
> may be enforcing Shibboleth and the only one is in .htaccess in the /vcl
> directory with the following lines:
>
> AuthType shibboleth
> ShibRequireSession Off
> require shibboleth
>
> In the affiliation database I set the shibname back to null on an exsiting
> affiliation, so everything is back to default settings per se.
>
>
> Should I retry the shibboleth instructions using the /shibauth directory
> or do you think I should try something else?
>
> Thanks
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Monday, September 14, 2020 6:21 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
>
> You might want to look at this documentation
>
> Mike
>
> https://wiki.shibboleth.net/confluence/display/SP3/ADFS
>
>
>
> On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I
> attached a copy replacing values with MYDOMAIN
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings <gm...@ncsu.edu>>
>
> Sent: Monday, September 14, 2020 5:59 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Can you tell me what your RequestMap section looks like in your
> shibboleth2.xml file
>
>
>
> On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gmjennin@ncsu.edu<mailto:
> gmjennin@ncsu.edu><ma...@ncsu.edu>>>
> wrote:
>
> Nope you should not....
>
>
>
> Are you running a shibboleth idp or a adfs
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>> wrote:
>
> Tried that, but same result.
>
>
>
> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be
> changed to SHIB_EPPN as well?
>
>
>
> Thanks
>
>
>
> From: Mike Jennings <gm...@ncsu.edu><mailto:
> gmjennin@ncsu.edu<ma...@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 5:14 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> try setting ShibRequireSession On
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>> wrote:
>
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
> updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu><mailto:
> gmjennin@ncsu.edu<ma...@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 5:02 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me, change
> the eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php file
> in the vcl directory and it prints out many variables except for anything
> related to Shibboleth. I've attached the attribute-map.xml file.
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings <gm...@ncsu.edu><mailto:
> gmjennin@ncsu.edu<ma...@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 4:46 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
>
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
>
>
> <?php print_r($_SERVER) ?>
>
>
>
> and what does that print out
>
>
>
> Also can you send me a copy of your attribute-map.xml file
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>>> wrote:
>
> Hi Mike,
>
>
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
>
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
>
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
>
>
> Authtype shibboleth
>
> ShibRequireSession off
>
> Require shibboleth
>
>
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu><mailto:
> gmjennin@ncsu.edu<ma...@ncsu.edu>><mailto:gmjennin@ncsu.edu
> <ma...@ncsu.edu><mailto:gmjennin@ncsu.edu<mailto:
> gmjennin@ncsu.edu>>>>
>
> Sent: Monday, September 14, 2020 11:17 AM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <ma...@vcl.apache.org>>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Martinez,
>
>
>
> Sorry I am a little late to the game here.
>
>
>
> It has been a long time since I have worked with a Shibboleth SP.
>
>
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
>
>
> I am assuming that you can do the initial test correctly
>
>
>
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status from the actual web server
> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
> default. If this test is successful, then the software is ready for further
> configuration.
>
>
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
>
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
>
>
> Thanks,
>
>
>
> Mike Jennings
>
>
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>>> wrote:
>
> Hi Josh,
>
>
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
>
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
>
>
> Thanks
>
>
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hash: SHA1
>
>
>
> Hi Ariel,
>
>
>
> Toward the top of initGlobals in utils.php, there is a small block of code
>
> that tests conditions for each authentication method if the user is not
> logged
>
> in, and if that authentication method's test function returns true, it will
>
> then call that authentication method's authentication function. It's the
>
> "else" block that starts on line 176 of the 2.5.1 release.
>
>
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
>
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
>
> not attempt to authenticate the user using Shibboleth. An easy way to test
>
> this is to temporarily put a file in the same directory as the main VCL
>
> index.php directory that just has this in it:
>
>
>
> <?php
>
> print "<pre>\n";
>
> print_r($_SERVER);
>
> print "</pre>\n";
>
> ?>
>
>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
>
> information about your system.
>
>
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
>
> problem. If your Shibboleth configuration is using something different
> than
>
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
>
>
> The VCL php code doesn't log anywhere other than where php errors would be
>
> going. Look in to configuring php errors for httpd to get that set up. My
>
> experience has been that systems generally don't log php errors anywhere by
>
> default.
>
>
>
> Josh
>
>
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
>
> > I have been looking further into the shibauth.php file to see what is
>
> > supposed to happen when a shibboleth login happens. For starters, it
>
> > creates an affiliation in the affiliation table if it does not find one
>
> > from the attributes received from the identity provider. However it
> doesn't
>
> > seem to be executing that code. It at the very least should have
> generated
>
> > an error message when trying to automatically create an affiliation if it
>
> > failed.
>
> >
>
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
>
> > is this particular function logged somewhere in particular?
>
> >
>
> > Thanks.
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Sunday, August 30, 2020 1:11 PM
>
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <ma...@vcl.apache.org>>>' <user@vcl.apache.org<mailto:
> user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org
> >><ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > I don't know what else to really try because as far as Shibboleth is
>
> > concerned, it appears to be working. So I went to the
>
> > /Shibboleth.sso/Session URL after logging in and the following is
>
> > displayed, I replaced some values that should not be public:
>
> >
>
> > Miscellaneous
>
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
>
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
>
> > Provider: (idp entity ID)
>
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
>
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> > Authentication Context Decl: (none)
>
> >
>
> > Attributes
>
> > affiliation: member@domain.com<ma...@domain.com><mailto:
> member@domain.com<ma...@domain.com>><mailto:member@domain.com
> <ma...@domain.com><mailto:member@domain.com<mailto:
> member@domain.com>>>
>
> > eppn: USER@domain.com<ma...@domain.com><mailto:USER@domain.com
> <ma...@domain.com>><mailto:USER@domain.com<mailto:USER@domain.com
> ><ma...@domain.com>>>;user@domain.com<mailto:
> user@domain.com><ma...@domain.com>><mailto:
> user@domain.com<ma...@domain.com><mailto:user@domain.com<mailto:
> user@domain.com>>>
>
> > upn: USER@domain.com<ma...@domain.com><mailto:USER@domain.com
> <ma...@domain.com>><mailto:USER@domain.com<mailto:USER@domain.com
> ><ma...@domain.com>>>
>
> >
>
> >
>
> > Unless eppn should not have two values, as far as I can tell, the proper
>
> > values required by VCL are present. In the VCL database affiliation
> table,
>
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
>
> > with the domain.com<http://domain.com><http://domain.com><
> http://domain.com> value under shibname. I also tried creating a new
>
> > affiliation setting shibonly to 1
>
> >
>
> > I still get the same behavior where, after selecting the Shibboleth
>
> > authentication method and signing in at my idp, it gets redirected back
> to
>
> > the /vcl directory to choose an authentication method.
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Thursday, August 27, 2020 3:00 PM
>
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <ma...@vcl.apache.org>>>' <user@vcl.apache.org<mailto:
> user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org
> >><ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > After login nothing is happening still. So I moved the test.php file from
>
> > the old Shibboleth instructions to my main VCL directory and set the
>
> > conf.php file to redirect to this file after login and the attributes are
>
> > all undefined.
>
> >
>
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
>
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
>
> > way?
>
> >
>
> > Thanks
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Wednesday, August 26, 2020 11:14 AM
>
> > To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <ma...@vcl.apache.org>>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > Hi Josh,
>
> >
>
> > Last question before I try again, there is no shibboleth affiliation in
> my
>
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
>
> > populating the shibname field, or should I use the existing LDAP
> configured
>
> > affiliation and populate its shibname field?
>
> >
>
> > Thanks
>
> >
>
> > -----Original Message-----
>
> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>>>
>
> > Sent: Wednesday, August 26, 2020 11:04 AM
>
> > To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org><mailto:user@vcl.apache.org
> <ma...@vcl.apache.org>>>
>
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> - --
>
> - -------------------------------
>
> Josh Thompson
>
> VCL Developer
>
> North Carolina State University
>
>
>
> my GPG/PGP key can be found on pool.sks-keyservers.net<
> http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><
> http://pool.sks-keyservers.net>
>
>
>
> All electronic mail messages in connection with State business which
>
> are sent to or received by this account are subject to the NC Public
>
> Records Law and may be disclosed to third parties.
>
> -----BEGIN PGP SIGNATURE-----
>
>
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
>
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
>
> =jMJR
>
> -----END PGP SIGNATURE-----
>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I have more troubleshooting information that may help. In shib.conf, I created a location block as follows:
<Location /vcl>
AuthType shibboleth
ShibRequestSetting requireSession false
require shibboleth
</Location>
Doing so allows me to log into VCL, but when I click on any of the menu items I get a VCL error page: " An error has occured. If this problem persists, please email vcl_help@example.org for further assistance. Please include the steps you took that led up to this problem in your email message."
In the ssl_error_log inside of /var/log/httpd I see the following, which the first error is "undefined index: SHIB_AFFILIATION". I checked the affiliation database and it did create an entry on its own.
[Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client 10.32.14.218:56400] PHP Notice: Undefined index: SHIB_AFFILIATION in /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180, referer: https://login.hostos.cuny.edu/
[Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client 10.32.14.218:56406] PHP Notice: Undefined offset: 5 in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client 10.32.14.218:56406] You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode was viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nCall#:3 => authentication.php:doQuery() (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => utils.php:readAuthCookie() (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client 10.32.14.218:56406] PHP Fatal error: Call to undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/
________________________________
From: MARTINEZ, ARIEL
Sent: Thursday, September 24, 2020 11:36 AM
To: user@vcl.apache.org
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
I finally got Shibboleth to work properly on the default /secure directory, and the Shibboleth attributes in $_SERVER are now present, including SHIB_EPPN. However, after authenticating, I am still getting back to the VCL login page.
I double checked the httpd.conf and shib.conf for any other blocks that may be enforcing Shibboleth and the only one is in .htaccess in the /vcl directory with the following lines:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
In the affiliation database I set the shibname back to null on an exsiting affiliation, so everything is back to default settings per se.
Should I retry the shibboleth instructions using the /shibauth directory or do you think I should try something else?
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>>
> eppn: USER@domain.com<ma...@domain.com>>>
> upn: USER@domain.com<ma...@domain.com>>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I finally got Shibboleth to work properly on the default /secure directory, and the Shibboleth attributes in $_SERVER are now present, including SHIB_EPPN. However, after authenticating, I am still getting back to the VCL login page.
I double checked the httpd.conf and shib.conf for any other blocks that may be enforcing Shibboleth and the only one is in .htaccess in the /vcl directory with the following lines:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
In the affiliation database I set the shibname back to null on an exsiting affiliation, so everything is back to default settings per se.
Should I retry the shibboleth instructions using the /shibauth directory or do you think I should try something else?
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>>
> eppn: USER@domain.com<ma...@domain.com>>>
> upn: USER@domain.com<ma...@domain.com>>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I saw that early on but it says that it doesn’t apply to ADFS 2.0 and beyond. I have ADFS 4.0 (Server 2016). The vast majority of what I configured is based off of the guide “AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2” that is linked in the Shibboleth Wiki.
I assumed that because the attributes are in the Shibboleth session, the required info is in place and it is just figuring out what is missing. I have a thread open in the Shibboleth user mailing list maybe they can give an idea.
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>>
> eppn: USER@domain.com<ma...@domain.com>>>
> upn: USER@domain.com<ma...@domain.com>>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>>' <us...@vcl.apache.org>>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
You might want to look at this documentation
Mike
https://wiki.shibboleth.net/confluence/display/SP3/ADFS
On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I
> attached a copy replacing values with MYDOMAIN
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings <gm...@ncsu.edu>
>
> Sent: Monday, September 14, 2020 5:59 PM
>
> To: user@vcl.apache.org
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Can you tell me what your RequestMap section looks like in your
> shibboleth2.xml file
>
>
>
> On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gmjennin@ncsu.edu<mailto:
> gmjennin@ncsu.edu>> wrote:
>
> Nope you should not....
>
>
>
> Are you running a shibboleth idp or a adfs
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
>
> Tried that, but same result.
>
>
>
> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be
> changed to SHIB_EPPN as well?
>
>
>
> Thanks
>
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
>
> Sent: Monday, September 14, 2020 5:14 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> try setting ShibRequireSession On
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
>
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
> updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
>
> Sent: Monday, September 14, 2020 5:02 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me, change
> the eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php file
> in the vcl directory and it prints out many variables except for anything
> related to Shibboleth. I've attached the attribute-map.xml file.
>
>
>
>
>
> Thanks
>
>
>
> ________________________________
>
> From: Mike Jennings <gm...@ncsu.edu>>
>
> Sent: Monday, September 14, 2020 4:46 PM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
>
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
>
>
> <?php print_r($_SERVER) ?>
>
>
>
> and what does that print out
>
>
>
> Also can you send me a copy of your attribute-map.xml file
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>> wrote:
>
> Hi Mike,
>
>
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
>
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
>
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
>
>
> Authtype shibboleth
>
> ShibRequireSession off
>
> Require shibboleth
>
>
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
>
>
> Thanks
>
>
>
>
>
> From: Mike Jennings <gm...@ncsu.edu><mailto:
> gmjennin@ncsu.edu<ma...@ncsu.edu>>>
>
> Sent: Monday, September 14, 2020 11:17 AM
>
> To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Importance: Low
>
>
>
> Martinez,
>
>
>
> Sorry I am a little late to the game here.
>
>
>
> It has been a long time since I have worked with a Shibboleth SP.
>
>
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
>
>
> I am assuming that you can do the initial test correctly
>
>
>
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status from the actual web server
> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
> default. If this test is successful, then the software is ready for further
> configuration.
>
>
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
>
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
>
>
> Thanks,
>
>
>
> Mike Jennings
>
>
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu><mailto:AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>>> wrote:
>
> Hi Josh,
>
>
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
>
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
>
>
> Thanks
>
>
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hash: SHA1
>
>
>
> Hi Ariel,
>
>
>
> Toward the top of initGlobals in utils.php, there is a small block of code
>
> that tests conditions for each authentication method if the user is not
> logged
>
> in, and if that authentication method's test function returns true, it will
>
> then call that authentication method's authentication function. It's the
>
> "else" block that starts on line 176 of the 2.5.1 release.
>
>
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
>
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
>
> not attempt to authenticate the user using Shibboleth. An easy way to test
>
> this is to temporarily put a file in the same directory as the main VCL
>
> index.php directory that just has this in it:
>
>
>
> <?php
>
> print "<pre>\n";
>
> print_r($_SERVER);
>
> print "</pre>\n";
>
> ?>
>
>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
>
> information about your system.
>
>
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
>
> problem. If your Shibboleth configuration is using something different
> than
>
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
>
>
> The VCL php code doesn't log anywhere other than where php errors would be
>
> going. Look in to configuring php errors for httpd to get that set up. My
>
> experience has been that systems generally don't log php errors anywhere by
>
> default.
>
>
>
> Josh
>
>
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
>
> > I have been looking further into the shibauth.php file to see what is
>
> > supposed to happen when a shibboleth login happens. For starters, it
>
> > creates an affiliation in the affiliation table if it does not find one
>
> > from the attributes received from the identity provider. However it
> doesn't
>
> > seem to be executing that code. It at the very least should have
> generated
>
> > an error message when trying to automatically create an affiliation if it
>
> > failed.
>
> >
>
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
>
> > is this particular function logged somewhere in particular?
>
> >
>
> > Thanks.
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Sunday, August 30, 2020 1:11 PM
>
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>' <user@vcl.apache.org
> <ma...@vcl.apache.org><mailto:user@vcl.apache.org<mailto:
> user@vcl.apache.org>>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > I don't know what else to really try because as far as Shibboleth is
>
> > concerned, it appears to be working. So I went to the
>
> > /Shibboleth.sso/Session URL after logging in and the following is
>
> > displayed, I replaced some values that should not be public:
>
> >
>
> > Miscellaneous
>
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
>
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
>
> > Provider: (idp entity ID)
>
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
>
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> > Authentication Context Decl: (none)
>
> >
>
> > Attributes
>
> > affiliation: member@domain.com<ma...@domain.com><mailto:
> member@domain.com<ma...@domain.com>>
>
> > eppn: USER@domain.com<ma...@domain.com><mailto:USER@domain.com
> <ma...@domain.com><mailto:
> user@domain.com<ma...@domain.com>>
>
> > upn: USER@domain.com<ma...@domain.com><mailto:USER@domain.com
> <ma...@domain.com>>
>
> >
>
> >
>
> > Unless eppn should not have two values, as far as I can tell, the proper
>
> > values required by VCL are present. In the VCL database affiliation
> table,
>
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
>
> > with the domain.com<http://domain.com><http://domain.com> value under
> shibname. I also tried creating a new
>
> > affiliation setting shibonly to 1
>
> >
>
> > I still get the same behavior where, after selecting the Shibboleth
>
> > authentication method and signing in at my idp, it gets redirected back
> to
>
> > the /vcl directory to choose an authentication method.
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Thursday, August 27, 2020 3:00 PM
>
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>' <user@vcl.apache.org
> <ma...@vcl.apache.org><mailto:user@vcl.apache.org<mailto:
> user@vcl.apache.org>>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > After login nothing is happening still. So I moved the test.php file from
>
> > the old Shibboleth instructions to my main VCL directory and set the
>
> > conf.php file to redirect to this file after login and the attributes are
>
> > all undefined.
>
> >
>
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
>
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
>
> > way?
>
> >
>
> > Thanks
>
> >
>
> > -----Original Message-----
>
> > From: MARTINEZ, ARIEL
>
> > Sent: Wednesday, August 26, 2020 11:14 AM
>
> > To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> >
>
> > Hi Josh,
>
> >
>
> > Last question before I try again, there is no shibboleth affiliation in
> my
>
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
>
> > populating the shibname field, or should I use the existing LDAP
> configured
>
> > affiliation and populate its shibname field?
>
> >
>
> > Thanks
>
> >
>
> > -----Original Message-----
>
> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu><mailto:josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>>
>
> > Sent: Wednesday, August 26, 2020 11:04 AM
>
> > To: user@vcl.apache.org<ma...@vcl.apache.org><mailto:
> user@vcl.apache.org<ma...@vcl.apache.org>>
>
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
>
>
> - --
>
> - -------------------------------
>
> Josh Thompson
>
> VCL Developer
>
> North Carolina State University
>
>
>
> my GPG/PGP key can be found on pool.sks-keyservers.net<
> http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
>
>
>
> All electronic mail messages in connection with State business which
>
> are sent to or received by this account are subject to the NC Public
>
> Records Law and may be disclosed to third parties.
>
> -----BEGIN PGP SIGNATURE-----
>
>
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
>
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
>
> =jMJR
>
> -----END PGP SIGNATURE-----
>
>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I attached a copy replacing values with MYDOMAIN
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 5:59 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu>> wrote:
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>
> eppn: USER@domain.com<ma...@domain.com>>
> upn: USER@domain.com<ma...@domain.com>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Can you tell me what your RequestMap section looks like in your
shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <gm...@ncsu.edu> wrote:
> Nope you should not....
>
> Are you running a shibboleth idp or a adfs
>
> Mike
>
> On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
>> Tried that, but same result.
>>
>>
>>
>> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be
>> changed to SHIB_EPPN as well?
>>
>>
>>
>> Thanks
>>
>>
>>
>> *From:* Mike Jennings <gm...@ncsu.edu>
>> *Sent:* Monday, September 14, 2020 5:14 PM
>> *To:* user@vcl.apache.org
>> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
>> Authentication
>> *Importance:* Low
>>
>>
>>
>> try setting ShibRequireSession On
>>
>>
>>
>> Mike
>>
>>
>>
>> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <
>> AMARTINEZ@hostos.cuny.edu> wrote:
>>
>> I made the change but it still doesn’t show up in $_SERVER.
>> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
>> updating the attribute map xml
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> *From:* Mike Jennings <gm...@ncsu.edu>
>> *Sent:* Monday, September 14, 2020 5:02 PM
>> *To:* user@vcl.apache.org
>> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO
>> Authentication
>> *Importance:* Low
>>
>>
>>
>> Yes, after checking the attribute-map.xml file that you sent me, change
>> the eppn lines to SHIB_EPPN and then reboot the shibd process....
>>
>>
>>
>> This should pick up the changes in the attribute map and make things work.
>>
>>
>>
>> Mike
>>
>>
>>
>> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <
>> AMARTINEZ@hostos.cuny.edu> wrote:
>>
>> Yes, I looked through the shibd.log initially and it looked normal no
>> errors that would give a clue to what is happening. I have a test.php file
>> in the vcl directory and it prints out many variables except for anything
>> related to Shibboleth. I've attached the attribute-map.xml file.
>>
>>
>> Thanks
>>
>> ________________________________
>> From: Mike Jennings <gm...@ncsu.edu>
>> Sent: Monday, September 14, 2020 4:46 PM
>> To: user@vcl.apache.org
>> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>>
>> Have you looked for any errors in the shibd.log or the transaction.logs
>> of the shibboleth service provider.
>>
>> Also have you tried to add a php file to dump the data in the vcl
>> directory that contains
>>
>> <?php print_r($_SERVER) ?>
>>
>> and what does that print out
>>
>> Also can you send me a copy of your attribute-map.xml file
>>
>> Mike
>>
>> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <
>> AMARTINEZ@hostos.cuny.edu<ma...@hostos.cuny.edu>> wrote:
>> Hi Mike,
>>
>> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
>> Shibboleth SP appears to be running correctly. I can see eppn, mail and
>> displayname (haven’t included affiliation) in the session after
>> authenticating.
>>
>> I just can’t figure out why the $_SERVER variable does not have any
>> Shibboleth data even though the session is established. Because of this,
>> the authentication in VCL is not working.
>>
>> I have a .htaccess file in /var/www/html/vcl directory with the following:
>>
>> Authtype shibboleth
>> ShibRequireSession off
>> Require shibboleth
>>
>> So when I select the configured SSO option in the VCL login, I get
>> redirected to my identity provider and it gets redirected back to the /vcl
>> webpage but it doesn’t log in.
>>
>> Thanks
>>
>>
>> From: Mike Jennings <gm...@ncsu.edu>>
>> Sent: Monday, September 14, 2020 11:17 AM
>> To: user@vcl.apache.org<ma...@vcl.apache.org>
>> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> Importance: Low
>>
>> Martinez,
>>
>> Sorry I am a little late to the game here.
>>
>> It has been a long time since I have worked with a Shibboleth SP.
>>
>> I am currently assuming that you have setup the Shibboleth SP on a Apache
>> HTTPS server.
>>
>> I am assuming that you can do the initial test correctly
>>
>>
>> You can test to ensure that the SP is running properly and the
>> surrounding environment is correct by accessing
>> https://localhost/Shibboleth.sso/Status from the actual web server
>> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
>> default. If this test is successful, then the software is ready for further
>> configuration.
>>
>> You can also access the Status handler from other clients or using a
>> non-localhost name, but only if you change the acl parameter in the
>> configuration to permit your client address or remove it entirely to open
>> up access to anybody. The ACL is present by default because the Status
>> handler can return some arguably sensitive information about your
>> configuration.
>>
>>
>> You have the attribute-map.xml configured correctly. You might need to
>> contact the Shibboleth IdP Administrator to verify he is releasing
>> attributes to your sp and what values need to be modified in that file.
>>
>> Thanks,
>>
>> Mike Jennings
>>
>> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <
>> AMARTINEZ@hostos.cuny.edu<ma...@hostos.cuny.edu>> wrote:
>> Hi Josh,
>>
>> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
>> $_SERVER array. There is no other Shibboleth related entry other than the
>> shib session string HTTP_COOKIE.
>>
>> Not sure how to correct this. How can the required entry be made to be
>> included in the array?
>>
>> Thanks
>>
>> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
>> josh_thompson@ncsu.edu>> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Ariel,
>>
>> Toward the top of initGlobals in utils.php, there is a small block of code
>> that tests conditions for each authentication method if the user is not
>> logged
>> in, and if that authentication method's test function returns true, it
>> will
>> then call that authentication method's authentication function. It's the
>> "else" block that starts on line 176 of the 2.5.1 release.
>>
>> The shibauth.php module uses testShibAuth as the test function. All it
>> does
>> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it
>> will
>> not attempt to authenticate the user using Shibboleth. An easy way to
>> test
>> this is to temporarily put a file in the same directory as the main VCL
>> index.php directory that just has this in it:
>>
>> <?php
>> print "<pre>\n";
>> print_r($_SERVER);
>> print "</pre>\n";
>> ?>
>>
>> Don't leave the file in there beyond the testing since it can disclose
>> various
>> information about your system.
>>
>> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found
>> your
>> problem. If your Shibboleth configuration is using something different
>> than
>> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>>
>> The VCL php code doesn't log anywhere other than where php errors would be
>> going. Look in to configuring php errors for httpd to get that set up.
>> My
>> experience has been that systems generally don't log php errors anywhere
>> by
>> default.
>>
>> Josh
>>
>> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
>> > I have been looking further into the shibauth.php file to see what is
>> > supposed to happen when a shibboleth login happens. For starters, it
>> > creates an affiliation in the affiliation table if it does not find one
>> > from the attributes received from the identity provider. However it
>> doesn't
>> > seem to be executing that code. It at the very least should have
>> generated
>> > an error message when trying to automatically create an affiliation if
>> it
>> > failed.
>> >
>> > Is there any way to troubleshoot shibauth.php to see what is happening?
>> Or
>> > is this particular function logged somewhere in particular?
>> >
>> > Thanks.
>> >
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Sunday, August 30, 2020 1:11 PM
>> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
>> user@vcl.apache.org<ma...@vcl.apache.org>>
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > I don't know what else to really try because as far as Shibboleth is
>> > concerned, it appears to be working. So I went to the
>> > /Shibboleth.sso/Session URL after logging in and the following is
>> > displayed, I replaced some values that should not be public:
>> >
>> > Miscellaneous
>> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
>> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
>> Identity
>> > Provider: (idp entity ID)
>> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
>> Class:
>> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>> > Authentication Context Decl: (none)
>> >
>> > Attributes
>> > affiliation: member@domain.com<ma...@domain.com>
>> > eppn: USER@domain.com<ma...@domain.com>;user@domain.com<mailto:
>> user@domain.com>
>> > upn: USER@domain.com<ma...@domain.com>
>> >
>> >
>> > Unless eppn should not have two values, as far as I can tell, the proper
>> > values required by VCL are present. In the VCL database affiliation
>> table,
>> > I have populated an existing VCL Affiliation that is configured to use
>> LDAP
>> > with the domain.com<http://domain.com> value under shibname. I also
>> tried creating a new
>> > affiliation setting shibonly to 1
>> >
>> > I still get the same behavior where, after selecting the Shibboleth
>> > authentication method and signing in at my idp, it gets redirected back
>> to
>> > the /vcl directory to choose an authentication method.
>> >
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Thursday, August 27, 2020 3:00 PM
>> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
>> user@vcl.apache.org<ma...@vcl.apache.org>>
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > After login nothing is happening still. So I moved the test.php file
>> from
>> > the old Shibboleth instructions to my main VCL directory and set the
>> > conf.php file to redirect to this file after login and the attributes
>> are
>> > all undefined.
>> >
>> > Is this sufficient to say with a high level of certainty that my IDP is
>> not
>> > sending VCL what it is expecting? Or is the test.php not meant to work
>> that
>> > way?
>> >
>> > Thanks
>> >
>> > -----Original Message-----
>> > From: MARTINEZ, ARIEL
>> > Sent: Wednesday, August 26, 2020 11:14 AM
>> > To: user@vcl.apache.org<ma...@vcl.apache.org>
>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>> >
>> > Hi Josh,
>> >
>> > Last question before I try again, there is no shibboleth affiliation in
>> my
>> > VCL database. So should I be creating a new affiliation for shibboleth
>> and
>> > populating the shibname field, or should I use the existing LDAP
>> configured
>> > affiliation and populate its shibname field?
>> >
>> > Thanks
>> >
>> > -----Original Message-----
>> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
>> josh_thompson@ncsu.edu>>
>> > Sent: Wednesday, August 26, 2020 11:04 AM
>> > To: user@vcl.apache.org<ma...@vcl.apache.org>
>> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>>
>> - --
>> - -------------------------------
>> Josh Thompson
>> VCL Developer
>> North Carolina State University
>>
>> my GPG/PGP key can be found on pool.sks-keyservers.net<
>> http://pool.sks-keyservers.net>
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>> -----BEGIN PGP SIGNATURE-----
>>
>> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
>> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
>> =jMJR
>> -----END PGP SIGNATURE-----
>>
>>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Nope you should not....
Are you running a shibboleth idp or a adfs
Mike
On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> Tried that, but same result.
>
>
>
> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be
> changed to SHIB_EPPN as well?
>
>
>
> Thanks
>
>
>
> *From:* Mike Jennings <gm...@ncsu.edu>
> *Sent:* Monday, September 14, 2020 5:14 PM
> *To:* user@vcl.apache.org
> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> *Importance:* Low
>
>
>
> try setting ShibRequireSession On
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
> updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> *From:* Mike Jennings <gm...@ncsu.edu>
> *Sent:* Monday, September 14, 2020 5:02 PM
> *To:* user@vcl.apache.org
> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> *Importance:* Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me, change
> the eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php file
> in the vcl directory and it prints out many variables except for anything
> related to Shibboleth. I've attached the attribute-map.xml file.
>
>
> Thanks
>
> ________________________________
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Monday, September 14, 2020 4:46 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
> <?php print_r($_SERVER) ?>
>
> and what does that print out
>
> Also can you send me a copy of your attribute-map.xml file
>
> Mike
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Mike,
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
> Authtype shibboleth
> ShibRequireSession off
> Require shibboleth
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
> Thanks
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
> Sent: Monday, September 14, 2020 11:17 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
> Martinez,
>
> Sorry I am a little late to the game here.
>
> It has been a long time since I have worked with a Shibboleth SP.
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
> I am assuming that you can do the initial test correctly
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status from the actual web server
> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
> default. If this test is successful, then the software is ready for further
> configuration.
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
> Thanks,
>
> Mike Jennings
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Josh,
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
> Thanks
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ariel,
>
> Toward the top of initGlobals in utils.php, there is a small block of code
> that tests conditions for each authentication method if the user is not
> logged
> in, and if that authentication method's test function returns true, it will
> then call that authentication method's authentication function. It's the
> "else" block that starts on line 176 of the 2.5.1 release.
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
> not attempt to authenticate the user using Shibboleth. An easy way to test
> this is to temporarily put a file in the same directory as the main VCL
> index.php directory that just has this in it:
>
> <?php
> print "<pre>\n";
> print_r($_SERVER);
> print "</pre>\n";
> ?>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
> information about your system.
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
> problem. If your Shibboleth configuration is using something different
> than
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
> The VCL php code doesn't log anywhere other than where php errors would be
> going. Look in to configuring php errors for httpd to get that set up. My
> experience has been that systems generally don't log php errors anywhere by
> default.
>
> Josh
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> > I have been looking further into the shibauth.php file to see what is
> > supposed to happen when a shibboleth login happens. For starters, it
> > creates an affiliation in the affiliation table if it does not find one
> > from the attributes received from the identity provider. However it
> doesn't
> > seem to be executing that code. It at the very least should have
> generated
> > an error message when trying to automatically create an affiliation if it
> > failed.
> >
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
> > is this particular function logged somewhere in particular?
> >
> > Thanks.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Sunday, August 30, 2020 1:11 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > I don't know what else to really try because as far as Shibboleth is
> > concerned, it appears to be working. So I went to the
> > /Shibboleth.sso/Session URL after logging in and the following is
> > displayed, I replaced some values that should not be public:
> >
> > Miscellaneous
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
> > Provider: (idp entity ID)
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > Authentication Context Decl: (none)
> >
> > Attributes
> > affiliation: member@domain.com<ma...@domain.com>
> > eppn: USER@domain.com<ma...@domain.com>;user@domain.com<mailto:
> user@domain.com>
> > upn: USER@domain.com<ma...@domain.com>
> >
> >
> > Unless eppn should not have two values, as far as I can tell, the proper
> > values required by VCL are present. In the VCL database affiliation
> table,
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
> > with the domain.com<http://domain.com> value under shibname. I also
> tried creating a new
> > affiliation setting shibonly to 1
> >
> > I still get the same behavior where, after selecting the Shibboleth
> > authentication method and signing in at my idp, it gets redirected back
> to
> > the /vcl directory to choose an authentication method.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Thursday, August 27, 2020 3:00 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > After login nothing is happening still. So I moved the test.php file from
> > the old Shibboleth instructions to my main VCL directory and set the
> > conf.php file to redirect to this file after login and the attributes are
> > all undefined.
> >
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
> > way?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Wednesday, August 26, 2020 11:14 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > Hi Josh,
> >
> > Last question before I try again, there is no shibboleth affiliation in
> my
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
> > populating the shibname field, or should I use the existing LDAP
> configured
> > affiliation and populate its shibname field?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>
> > Sent: Wednesday, August 26, 2020 11:04 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found on pool.sks-keyservers.net<
> http://pool.sks-keyservers.net>
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
> =jMJR
> -----END PGP SIGNATURE-----
>
>
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Tried that, but same result.
In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be changed to SHIB_EPPN as well?
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 5:14 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>
> eppn: USER@domain.com<ma...@domain.com>>
> upn: USER@domain.com<ma...@domain.com>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
try setting ShibRequireSession On
Mike
On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> I made the change but it still doesn’t show up in $_SERVER.
> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after
> updating the attribute map xml
>
>
>
> Thanks
>
>
>
>
>
> *From:* Mike Jennings <gm...@ncsu.edu>
> *Sent:* Monday, September 14, 2020 5:02 PM
> *To:* user@vcl.apache.org
> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> *Importance:* Low
>
>
>
> Yes, after checking the attribute-map.xml file that you sent me, change
> the eppn lines to SHIB_EPPN and then reboot the shibd process....
>
>
>
> This should pick up the changes in the attribute map and make things work.
>
>
>
> Mike
>
>
>
> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php file
> in the vcl directory and it prints out many variables except for anything
> related to Shibboleth. I've attached the attribute-map.xml file.
>
>
> Thanks
>
> ________________________________
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Monday, September 14, 2020 4:46 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
> <?php print_r($_SERVER) ?>
>
> and what does that print out
>
> Also can you send me a copy of your attribute-map.xml file
>
> Mike
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Mike,
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
> Authtype shibboleth
> ShibRequireSession off
> Require shibboleth
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
> Thanks
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
> Sent: Monday, September 14, 2020 11:17 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
> Martinez,
>
> Sorry I am a little late to the game here.
>
> It has been a long time since I have worked with a Shibboleth SP.
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
> I am assuming that you can do the initial test correctly
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status from the actual web server
> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
> default. If this test is successful, then the software is ready for further
> configuration.
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
> Thanks,
>
> Mike Jennings
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Josh,
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
> Thanks
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ariel,
>
> Toward the top of initGlobals in utils.php, there is a small block of code
> that tests conditions for each authentication method if the user is not
> logged
> in, and if that authentication method's test function returns true, it will
> then call that authentication method's authentication function. It's the
> "else" block that starts on line 176 of the 2.5.1 release.
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
> not attempt to authenticate the user using Shibboleth. An easy way to test
> this is to temporarily put a file in the same directory as the main VCL
> index.php directory that just has this in it:
>
> <?php
> print "<pre>\n";
> print_r($_SERVER);
> print "</pre>\n";
> ?>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
> information about your system.
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
> problem. If your Shibboleth configuration is using something different
> than
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
> The VCL php code doesn't log anywhere other than where php errors would be
> going. Look in to configuring php errors for httpd to get that set up. My
> experience has been that systems generally don't log php errors anywhere by
> default.
>
> Josh
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> > I have been looking further into the shibauth.php file to see what is
> > supposed to happen when a shibboleth login happens. For starters, it
> > creates an affiliation in the affiliation table if it does not find one
> > from the attributes received from the identity provider. However it
> doesn't
> > seem to be executing that code. It at the very least should have
> generated
> > an error message when trying to automatically create an affiliation if it
> > failed.
> >
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
> > is this particular function logged somewhere in particular?
> >
> > Thanks.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Sunday, August 30, 2020 1:11 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > I don't know what else to really try because as far as Shibboleth is
> > concerned, it appears to be working. So I went to the
> > /Shibboleth.sso/Session URL after logging in and the following is
> > displayed, I replaced some values that should not be public:
> >
> > Miscellaneous
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
> > Provider: (idp entity ID)
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > Authentication Context Decl: (none)
> >
> > Attributes
> > affiliation: member@domain.com<ma...@domain.com>
> > eppn: USER@domain.com<ma...@domain.com>;user@domain.com<mailto:
> user@domain.com>
> > upn: USER@domain.com<ma...@domain.com>
> >
> >
> > Unless eppn should not have two values, as far as I can tell, the proper
> > values required by VCL are present. In the VCL database affiliation
> table,
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
> > with the domain.com<http://domain.com> value under shibname. I also
> tried creating a new
> > affiliation setting shibonly to 1
> >
> > I still get the same behavior where, after selecting the Shibboleth
> > authentication method and signing in at my idp, it gets redirected back
> to
> > the /vcl directory to choose an authentication method.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Thursday, August 27, 2020 3:00 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > After login nothing is happening still. So I moved the test.php file from
> > the old Shibboleth instructions to my main VCL directory and set the
> > conf.php file to redirect to this file after login and the attributes are
> > all undefined.
> >
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
> > way?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Wednesday, August 26, 2020 11:14 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > Hi Josh,
> >
> > Last question before I try again, there is no shibboleth affiliation in
> my
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
> > populating the shibname field, or should I use the existing LDAP
> configured
> > affiliation and populate its shibname field?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>
> > Sent: Wednesday, August 26, 2020 11:04 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found on pool.sks-keyservers.net<
> http://pool.sks-keyservers.net>
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
> =jMJR
> -----END PGP SIGNATURE-----
>
>
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I made the change but it still doesn’t show up in $_SERVER. Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after updating the attribute map xml
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 5:02 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Yes, after checking the attribute-map.xml file that you sent me, change the eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>>
> eppn: USER@domain.com<ma...@domain.com>>
> upn: USER@domain.com<ma...@domain.com>>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com><http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>>' <us...@vcl.apache.org>>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Yes, after checking the attribute-map.xml file that you sent me, change the
eppn lines to SHIB_EPPN and then reboot the shibd process....
This should pick up the changes in the attribute map and make things work.
Mike
On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> Yes, I looked through the shibd.log initially and it looked normal no
> errors that would give a clue to what is happening. I have a test.php file
> in the vcl directory and it prints out many variables except for anything
> related to Shibboleth. I've attached the attribute-map.xml file.
>
>
> Thanks
>
> ________________________________
> From: Mike Jennings <gm...@ncsu.edu>
> Sent: Monday, September 14, 2020 4:46 PM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Have you looked for any errors in the shibd.log or the transaction.logs of
> the shibboleth service provider.
>
> Also have you tried to add a php file to dump the data in the vcl
> directory that contains
>
> <?php print_r($_SERVER) ?>
>
> and what does that print out
>
> Also can you send me a copy of your attribute-map.xml file
>
> Mike
>
> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Mike,
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
> Authtype shibboleth
> ShibRequireSession off
> Require shibboleth
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
> Thanks
>
>
> From: Mike Jennings <gm...@ncsu.edu>>
> Sent: Monday, September 14, 2020 11:17 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> Importance: Low
>
> Martinez,
>
> Sorry I am a little late to the game here.
>
> It has been a long time since I have worked with a Shibboleth SP.
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
> I am assuming that you can do the initial test correctly
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status from the actual web server
> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by
> default. If this test is successful, then the software is ready for further
> configuration.
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but only if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
> Thanks,
>
> Mike Jennings
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AMARTINEZ@hostos.cuny.edu
> <ma...@hostos.cuny.edu>> wrote:
> Hi Josh,
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
> Thanks
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ariel,
>
> Toward the top of initGlobals in utils.php, there is a small block of code
> that tests conditions for each authentication method if the user is not
> logged
> in, and if that authentication method's test function returns true, it will
> then call that authentication method's authentication function. It's the
> "else" block that starts on line 176 of the 2.5.1 release.
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
> not attempt to authenticate the user using Shibboleth. An easy way to test
> this is to temporarily put a file in the same directory as the main VCL
> index.php directory that just has this in it:
>
> <?php
> print "<pre>\n";
> print_r($_SERVER);
> print "</pre>\n";
> ?>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
> information about your system.
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
> problem. If your Shibboleth configuration is using something different
> than
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
> The VCL php code doesn't log anywhere other than where php errors would be
> going. Look in to configuring php errors for httpd to get that set up. My
> experience has been that systems generally don't log php errors anywhere by
> default.
>
> Josh
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> > I have been looking further into the shibauth.php file to see what is
> > supposed to happen when a shibboleth login happens. For starters, it
> > creates an affiliation in the affiliation table if it does not find one
> > from the attributes received from the identity provider. However it
> doesn't
> > seem to be executing that code. It at the very least should have
> generated
> > an error message when trying to automatically create an affiliation if it
> > failed.
> >
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
> > is this particular function logged somewhere in particular?
> >
> > Thanks.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Sunday, August 30, 2020 1:11 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > I don't know what else to really try because as far as Shibboleth is
> > concerned, it appears to be working. So I went to the
> > /Shibboleth.sso/Session URL after logging in and the following is
> > displayed, I replaced some values that should not be public:
> >
> > Miscellaneous
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
> > Provider: (idp entity ID)
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > Authentication Context Decl: (none)
> >
> > Attributes
> > affiliation: member@domain.com<ma...@domain.com>
> > eppn: USER@domain.com<ma...@domain.com>;user@domain.com<mailto:
> user@domain.com>
> > upn: USER@domain.com<ma...@domain.com>
> >
> >
> > Unless eppn should not have two values, as far as I can tell, the proper
> > values required by VCL are present. In the VCL database affiliation
> table,
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
> > with the domain.com<http://domain.com> value under shibname. I also
> tried creating a new
> > affiliation setting shibonly to 1
> >
> > I still get the same behavior where, after selecting the Shibboleth
> > authentication method and signing in at my idp, it gets redirected back
> to
> > the /vcl directory to choose an authentication method.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Thursday, August 27, 2020 3:00 PM
> > To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <
> user@vcl.apache.org<ma...@vcl.apache.org>>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > After login nothing is happening still. So I moved the test.php file from
> > the old Shibboleth instructions to my main VCL directory and set the
> > conf.php file to redirect to this file after login and the attributes are
> > all undefined.
> >
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
> > way?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Wednesday, August 26, 2020 11:14 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > Hi Josh,
> >
> > Last question before I try again, there is no shibboleth affiliation in
> my
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
> > populating the shibname field, or should I use the existing LDAP
> configured
> > affiliation and populate its shibname field?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Josh Thompson <josh_thompson@ncsu.edu<mailto:
> josh_thompson@ncsu.edu>>
> > Sent: Wednesday, August 26, 2020 11:04 AM
> > To: user@vcl.apache.org<ma...@vcl.apache.org>
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found on pool.sks-keyservers.net<
> http://pool.sks-keyservers.net>
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
> =jMJR
> -----END PGP SIGNATURE-----
>
>
>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks
________________________________
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 4:46 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <us...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>
> eppn: USER@domain.com<ma...@domain.com>
> upn: USER@domain.com<ma...@domain.com>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <us...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Have you looked for any errors in the shibd.log or the transaction.logs of
the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory
that contains
<?php print_r($_SERVER) ?>
and what does that print out
Also can you send me a copy of your attribute-map.xml file
Mike
On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> Hi Mike,
>
>
>
> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the
> Shibboleth SP appears to be running correctly. I can see eppn, mail and
> displayname (haven’t included affiliation) in the session after
> authenticating.
>
>
>
> I just can’t figure out why the $_SERVER variable does not have any
> Shibboleth data even though the session is established. Because of this,
> the authentication in VCL is not working.
>
>
>
> I have a .htaccess file in /var/www/html/vcl directory with the following:
>
>
>
> Authtype shibboleth
>
> ShibRequireSession off
>
> Require shibboleth
>
>
>
> So when I select the configured SSO option in the VCL login, I get
> redirected to my identity provider and it gets redirected back to the /vcl
> webpage but it doesn’t log in.
>
>
>
> Thanks
>
>
>
>
>
> *From:* Mike Jennings <gm...@ncsu.edu>
> *Sent:* Monday, September 14, 2020 11:17 AM
> *To:* user@vcl.apache.org
> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> *Importance:* Low
>
>
>
> Martinez,
>
>
>
> Sorry I am a little late to the game here.
>
>
>
> It has been a long time since I have worked with a Shibboleth SP.
>
>
>
> I am currently assuming that you have setup the Shibboleth SP on a Apache
> HTTPS server.
>
>
>
> I am assuming that you can do the initial test correctly
>
>
>
> You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status *from the actual web server
> machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK
> by default. If this test is successful, then the software is ready for
> further configuration.
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but *only* if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
>
>
>
> You have the attribute-map.xml configured correctly. You might need to
> contact the Shibboleth IdP Administrator to verify he is releasing
> attributes to your sp and what values need to be modified in that file.
>
>
>
> Thanks,
>
>
>
> Mike Jennings
>
>
>
> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
> wrote:
>
> Hi Josh,
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
> Thanks
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ariel,
>
> Toward the top of initGlobals in utils.php, there is a small block of code
> that tests conditions for each authentication method if the user is not
> logged
> in, and if that authentication method's test function returns true, it will
> then call that authentication method's authentication function. It's the
> "else" block that starts on line 176 of the 2.5.1 release.
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
> not attempt to authenticate the user using Shibboleth. An easy way to test
> this is to temporarily put a file in the same directory as the main VCL
> index.php directory that just has this in it:
>
> <?php
> print "<pre>\n";
> print_r($_SERVER);
> print "</pre>\n";
> ?>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
> information about your system.
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
> problem. If your Shibboleth configuration is using something different
> than
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
> The VCL php code doesn't log anywhere other than where php errors would be
> going. Look in to configuring php errors for httpd to get that set up. My
> experience has been that systems generally don't log php errors anywhere by
> default.
>
> Josh
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> > I have been looking further into the shibauth.php file to see what is
> > supposed to happen when a shibboleth login happens. For starters, it
> > creates an affiliation in the affiliation table if it does not find one
> > from the attributes received from the identity provider. However it
> doesn't
> > seem to be executing that code. It at the very least should have
> generated
> > an error message when trying to automatically create an affiliation if it
> > failed.
> >
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
> > is this particular function logged somewhere in particular?
> >
> > Thanks.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Sunday, August 30, 2020 1:11 PM
> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > I don't know what else to really try because as far as Shibboleth is
> > concerned, it appears to be working. So I went to the
> > /Shibboleth.sso/Session URL after logging in and the following is
> > displayed, I replaced some values that should not be public:
> >
> > Miscellaneous
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
> > Provider: (idp entity ID)
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > Authentication Context Decl: (none)
> >
> > Attributes
> > affiliation: member@domain.com
> > eppn: USER@domain.com;user@domain.com
> > upn: USER@domain.com
> >
> >
> > Unless eppn should not have two values, as far as I can tell, the proper
> > values required by VCL are present. In the VCL database affiliation
> table,
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
> > with the domain.com value under shibname. I also tried creating a new
> > affiliation setting shibonly to 1
> >
> > I still get the same behavior where, after selecting the Shibboleth
> > authentication method and signing in at my idp, it gets redirected back
> to
> > the /vcl directory to choose an authentication method.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Thursday, August 27, 2020 3:00 PM
> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > After login nothing is happening still. So I moved the test.php file from
> > the old Shibboleth instructions to my main VCL directory and set the
> > conf.php file to redirect to this file after login and the attributes are
> > all undefined.
> >
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
> > way?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Wednesday, August 26, 2020 11:14 AM
> > To: user@vcl.apache.org
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > Hi Josh,
> >
> > Last question before I try again, there is no shibboleth affiliation in
> my
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
> > populating the shibname field, or should I use the existing LDAP
> configured
> > affiliation and populate its shibname field?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Josh Thompson <jo...@ncsu.edu>
> > Sent: Wednesday, August 26, 2020 11:04 AM
> > To: user@vcl.apache.org
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found on pool.sks-keyservers.net
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
> =jMJR
> -----END PGP SIGNATURE-----
>
>
>
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Mike,
Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating.
I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working.
I have a .htaccess file in /var/www/html/vcl directory with the following:
Authtype shibboleth
ShibRequireSession off
Require shibboleth
So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in.
Thanks
From: Mike Jennings <gm...@ncsu.edu>
Sent: Monday, September 14, 2020 11:17 AM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration.
You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration.
You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <us...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com<ma...@domain.com>
> eppn: USER@domain.com<ma...@domain.com>
> upn: USER@domain.com<ma...@domain.com>
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com<http://domain.com> value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org<ma...@vcl.apache.org>' <us...@vcl.apache.org>>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org<ma...@vcl.apache.org>
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net>
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Mike Jennings <gm...@ncsu.edu>.
Martinez,
Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP.
I am currently assuming that you have setup the Shibboleth SP on a Apache
HTTPS server.
I am assuming that you can do the initial test correctly
You can test to ensure that the SP is running properly and the surrounding
> environment is correct by accessing
> https://localhost/Shibboleth.sso/Status *from the actual web server
> machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK
> by default. If this test is successful, then the software is ready for
> further configuration.
>
> You can also access the Status handler from other clients or using a
> non-localhost name, but *only* if you change the acl parameter in the
> configuration to permit your client address or remove it entirely to open
> up access to anybody. The ACL is present by default because the Status
> handler can return some arguably sensitive information about your
> configuration.
>
>
You have the attribute-map.xml configured correctly. You might need to
contact the Shibboleth IdP Administrator to verify he is releasing
attributes to your sp and what values need to be modified in that file.
Thanks,
Mike Jennings
On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>
wrote:
> Hi Josh,
>
> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the
> $_SERVER array. There is no other Shibboleth related entry other than the
> shib session string HTTP_COOKIE.
>
> Not sure how to correct this. How can the required entry be made to be
> included in the array?
>
> Thanks
>
> On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ariel,
>
> Toward the top of initGlobals in utils.php, there is a small block of code
> that tests conditions for each authentication method if the user is not
> logged
> in, and if that authentication method's test function returns true, it will
> then call that authentication method's authentication function. It's the
> "else" block that starts on line 176 of the 2.5.1 release.
>
> The shibauth.php module uses testShibAuth as the test function. All it
> does
> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
> not attempt to authenticate the user using Shibboleth. An easy way to test
> this is to temporarily put a file in the same directory as the main VCL
> index.php directory that just has this in it:
>
> <?php
> print "<pre>\n";
> print_r($_SERVER);
> print "</pre>\n";
> ?>
>
> Don't leave the file in there beyond the testing since it can disclose
> various
> information about your system.
>
> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
> problem. If your Shibboleth configuration is using something different
> than
> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
>
> The VCL php code doesn't log anywhere other than where php errors would be
> going. Look in to configuring php errors for httpd to get that set up. My
> experience has been that systems generally don't log php errors anywhere by
> default.
>
> Josh
>
> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> > I have been looking further into the shibauth.php file to see what is
> > supposed to happen when a shibboleth login happens. For starters, it
> > creates an affiliation in the affiliation table if it does not find one
> > from the attributes received from the identity provider. However it
> doesn't
> > seem to be executing that code. It at the very least should have
> generated
> > an error message when trying to automatically create an affiliation if it
> > failed.
> >
> > Is there any way to troubleshoot shibauth.php to see what is happening?
> Or
> > is this particular function logged somewhere in particular?
> >
> > Thanks.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Sunday, August 30, 2020 1:11 PM
> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > I don't know what else to really try because as far as Shibboleth is
> > concerned, it appears to be working. So I went to the
> > /Shibboleth.sso/Session URL after logging in and the following is
> > displayed, I replaced some values that should not be public:
> >
> > Miscellaneous
> > Session Expiration (barring inactivity): 478 minute(s) Client Address:
> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Identity
> > Provider: (idp entity ID)
> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context
> Class:
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > Authentication Context Decl: (none)
> >
> > Attributes
> > affiliation: member@domain.com
> > eppn: USER@domain.com;user@domain.com
> > upn: USER@domain.com
> >
> >
> > Unless eppn should not have two values, as far as I can tell, the proper
> > values required by VCL are present. In the VCL database affiliation
> table,
> > I have populated an existing VCL Affiliation that is configured to use
> LDAP
> > with the domain.com value under shibname. I also tried creating a new
> > affiliation setting shibonly to 1
> >
> > I still get the same behavior where, after selecting the Shibboleth
> > authentication method and signing in at my idp, it gets redirected back
> to
> > the /vcl directory to choose an authentication method.
> >
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Thursday, August 27, 2020 3:00 PM
> > To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > After login nothing is happening still. So I moved the test.php file from
> > the old Shibboleth instructions to my main VCL directory and set the
> > conf.php file to redirect to this file after login and the attributes are
> > all undefined.
> >
> > Is this sufficient to say with a high level of certainty that my IDP is
> not
> > sending VCL what it is expecting? Or is the test.php not meant to work
> that
> > way?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: MARTINEZ, ARIEL
> > Sent: Wednesday, August 26, 2020 11:14 AM
> > To: user@vcl.apache.org
> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
> >
> > Hi Josh,
> >
> > Last question before I try again, there is no shibboleth affiliation in
> my
> > VCL database. So should I be creating a new affiliation for shibboleth
> and
> > populating the shibname field, or should I use the existing LDAP
> configured
> > affiliation and populate its shibname field?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: Josh Thompson <jo...@ncsu.edu>
> > Sent: Wednesday, August 26, 2020 11:04 AM
> > To: user@vcl.apache.org
> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found on pool.sks-keyservers.net
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
>
> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
> =jMJR
> -----END PGP SIGNATURE-----
>
>
>
>
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE.
Not sure how to correct this. How can the required entry be made to be included in the array?
Thanks
On Sep 11, 2020 5:39 PM, Josh Thompson <jo...@ncsu.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com
> eppn: USER@domain.com;user@domain.com
> upn: USER@domain.com
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code
that tests conditions for each authentication method if the user is not logged
in, and if that authentication method's test function returns true, it will
then call that authentication method's authentication function. It's the
"else" block that starts on line 176 of the 2.5.1 release.
The shibauth.php module uses testShibAuth as the test function. All it does
is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will
not attempt to authenticate the user using Shibboleth. An easy way to test
this is to temporarily put a file in the same directory as the main VCL
index.php directory that just has this in it:
<?php
print "<pre>\n";
print_r($_SERVER);
print "</pre>\n";
?>
Don't leave the file in there beyond the testing since it can disclose various
information about your system.
If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your
problem. If your Shibboleth configuration is using something different than
'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.
The VCL php code doesn't log anywhere other than where php errors would be
going. Look in to configuring php errors for httpd to get that set up. My
experience has been that systems generally don't log php errors anywhere by
default.
Josh
On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:
> I have been looking further into the shibauth.php file to see what is
> supposed to happen when a shibboleth login happens. For starters, it
> creates an affiliation in the affiliation table if it does not find one
> from the attributes received from the identity provider. However it doesn't
> seem to be executing that code. It at the very least should have generated
> an error message when trying to automatically create an affiliation if it
> failed.
>
> Is there any way to troubleshoot shibauth.php to see what is happening? Or
> is this particular function logged somewhere in particular?
>
> Thanks.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Sunday, August 30, 2020 1:11 PM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> I don't know what else to really try because as far as Shibboleth is
> concerned, it appears to be working. So I went to the
> /Shibboleth.sso/Session URL after logging in and the following is
> displayed, I replaced some values that should not be public:
>
> Miscellaneous
> Session Expiration (barring inactivity): 478 minute(s) Client Address:
> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity
> Provider: (idp entity ID)
> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
>
> Attributes
> affiliation: member@domain.com
> eppn: USER@domain.com;user@domain.com
> upn: USER@domain.com
>
>
> Unless eppn should not have two values, as far as I can tell, the proper
> values required by VCL are present. In the VCL database affiliation table,
> I have populated an existing VCL Affiliation that is configured to use LDAP
> with the domain.com value under shibname. I also tried creating a new
> affiliation setting shibonly to 1
>
> I still get the same behavior where, after selecting the Shibboleth
> authentication method and signing in at my idp, it gets redirected back to
> the /vcl directory to choose an authentication method.
>
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Thursday, August 27, 2020 3:00 PM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> After login nothing is happening still. So I moved the test.php file from
> the old Shibboleth instructions to my main VCL directory and set the
> conf.php file to redirect to this file after login and the attributes are
> all undefined.
>
> Is this sufficient to say with a high level of certainty that my IDP is not
> sending VCL what it is expecting? Or is the test.php not meant to work that
> way?
>
> Thanks
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Wednesday, August 26, 2020 11:14 AM
> To: user@vcl.apache.org
> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> Last question before I try again, there is no shibboleth affiliation in my
> VCL database. So should I be creating a new affiliation for shibboleth and
> populating the shibname field, or should I use the existing LDAP configured
> affiliation and populate its shibname field?
>
> Thanks
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Wednesday, August 26, 2020 11:04 AM
> To: user@vcl.apache.org
> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209
A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=
=jMJR
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I have been looking further into the shibauth.php file to see what is supposed to happen when a shibboleth login happens. For starters, it creates an affiliation in the affiliation table if it does not find one from the attributes received from the identity provider. However it doesn't seem to be executing that code. It at the very least should have generated an error message when trying to automatically create an affiliation if it failed.
Is there any way to troubleshoot shibauth.php to see what is happening? Or is this particular function logged somewhere in particular?
Thanks.
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Sunday, August 30, 2020 1:11 PM
To: 'user@vcl.apache.org' <us...@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
I don't know what else to really try because as far as Shibboleth is concerned, it appears to be working. So I went to the /Shibboleth.sso/Session URL after logging in and the following is displayed, I replaced some values that should not be public:
Miscellaneous
Session Expiration (barring inactivity): 478 minute(s) Client Address: (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: (idp entity ID)
Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Attributes
affiliation: member@domain.com
eppn: USER@domain.com;user@domain.com
upn: USER@domain.com
Unless eppn should not have two values, as far as I can tell, the proper values required by VCL are present. In the VCL database affiliation table, I have populated an existing VCL Affiliation that is configured to use LDAP with the domain.com value under shibname. I also tried creating a new affiliation setting shibonly to 1
I still get the same behavior where, after selecting the Shibboleth authentication method and signing in at my idp, it gets redirected back to the /vcl directory to choose an authentication method.
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Thursday, August 27, 2020 3:00 PM
To: 'user@vcl.apache.org' <us...@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
After login nothing is happening still. So I moved the test.php file from the old Shibboleth instructions to my main VCL directory and set the conf.php file to redirect to this file after login and the attributes are all undefined.
Is this sufficient to say with a high level of certainty that my IDP is not sending VCL what it is expecting? Or is the test.php not meant to work that way?
Thanks
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Wednesday, August 26, 2020 11:14 AM
To: user@vcl.apache.org
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
Last question before I try again, there is no shibboleth affiliation in my VCL database. So should I be creating a new affiliation for shibboleth and populating the shibname field, or should I use the existing LDAP configured affiliation and populate its shibname field?
Thanks
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, August 26, 2020 11:04 AM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Responses inline.
On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Thanks for this. I made the changes and there is no more unauthorized
> error message on the page. But after logging into the identity
> provider, when it gets redirected back to the main VCL directory, it
> did not login. Selecting the shibboleth affiliation just keeps
> redirecting back to that login selection page.
>
> But I think I am very close now to getting it to work.
>
> So from the eppn attribute, it will use whatever is after the @ to
> find a matching affiliation in VCL and it should log the user into that?
>
> I looked in the VCL database for the affiliation table and no
> affiliation has the shibname defined.
>
> Should I manually enter whatever is after the @ from eppn into the
> shibname field value?
Yes, you'll need to manually update that field in the database. Sorry, I didn't think to mention that before.
> When I set up the LDAP login for that affiliation, it is using the
> samaccountname from LDAP, whatever is to the left of the @. I think I
> may also need to change this to use the LDAP user principal name which
> will have the full user@domain format which should match eppn.
LDAP authentication works differently. You'll want to leave it using samaccountname. I don't think it will work correctly using the full user@domain format for LDAP.
Josh
> Thanks.
>
> On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209
A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw=
=bPJ2
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I don't know what else to really try because as far as Shibboleth is concerned, it appears to be working. So I went to the /Shibboleth.sso/Session URL after logging in and the following is displayed, I replaced some values that should not be public:
Miscellaneous
Session Expiration (barring inactivity): 478 minute(s)
Client Address: (xx.xx.xx.xxx)
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: (idp entity ID)
Authentication Time: 2020-08-30T16:54:23.787Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Attributes
affiliation: member@domain.com
eppn: USER@domain.com;user@domain.com
upn: USER@domain.com
Unless eppn should not have two values, as far as I can tell, the proper values required by VCL are present. In the VCL database affiliation table, I have populated an existing VCL Affiliation that is configured to use LDAP with the domain.com value under shibname. I also tried creating a new affiliation setting shibonly to 1
I still get the same behavior where, after selecting the Shibboleth authentication method and signing in at my idp, it gets redirected back to the /vcl directory to choose an authentication method.
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Thursday, August 27, 2020 3:00 PM
To: 'user@vcl.apache.org' <us...@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
After login nothing is happening still. So I moved the test.php file from the old Shibboleth instructions to my main VCL directory and set the conf.php file to redirect to this file after login and the attributes are all undefined.
Is this sufficient to say with a high level of certainty that my IDP is not sending VCL what it is expecting? Or is the test.php not meant to work that way?
Thanks
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Wednesday, August 26, 2020 11:14 AM
To: user@vcl.apache.org
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
Last question before I try again, there is no shibboleth affiliation in my VCL database. So should I be creating a new affiliation for shibboleth and populating the shibname field, or should I use the existing LDAP configured affiliation and populate its shibname field?
Thanks
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, August 26, 2020 11:04 AM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Responses inline.
On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Thanks for this. I made the changes and there is no more unauthorized
> error message on the page. But after logging into the identity
> provider, when it gets redirected back to the main VCL directory, it
> did not login. Selecting the shibboleth affiliation just keeps
> redirecting back to that login selection page.
>
> But I think I am very close now to getting it to work.
>
> So from the eppn attribute, it will use whatever is after the @ to
> find a matching affiliation in VCL and it should log the user into that?
>
> I looked in the VCL database for the affiliation table and no
> affiliation has the shibname defined.
>
> Should I manually enter whatever is after the @ from eppn into the
> shibname field value?
Yes, you'll need to manually update that field in the database. Sorry, I didn't think to mention that before.
> When I set up the LDAP login for that affiliation, it is using the
> samaccountname from LDAP, whatever is to the left of the @. I think I
> may also need to change this to use the LDAP user principal name which
> will have the full user@domain format which should match eppn.
LDAP authentication works differently. You'll want to leave it using samaccountname. I don't think it will work correctly using the full user@domain format for LDAP.
Josh
> Thanks.
>
> On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209
A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw=
=bPJ2
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
After login nothing is happening still. So I moved the test.php file from the old Shibboleth instructions to my main VCL directory and set the conf.php file to redirect to this file after login and the attributes are all undefined.
Is this sufficient to say with a high level of certainty that my IDP is not sending VCL what it is expecting? Or is the test.php not meant to work that way?
Thanks
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Wednesday, August 26, 2020 11:14 AM
To: user@vcl.apache.org
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
Last question before I try again, there is no shibboleth affiliation in my VCL database. So should I be creating a new affiliation for shibboleth and populating the shibname field, or should I use the existing LDAP configured affiliation and populate its shibname field?
Thanks
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, August 26, 2020 11:04 AM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Responses inline.
On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Thanks for this. I made the changes and there is no more unauthorized
> error message on the page. But after logging into the identity
> provider, when it gets redirected back to the main VCL directory, it
> did not login. Selecting the shibboleth affiliation just keeps
> redirecting back to that login selection page.
>
> But I think I am very close now to getting it to work.
>
> So from the eppn attribute, it will use whatever is after the @ to
> find a matching affiliation in VCL and it should log the user into that?
>
> I looked in the VCL database for the affiliation table and no
> affiliation has the shibname defined.
>
> Should I manually enter whatever is after the @ from eppn into the
> shibname field value?
Yes, you'll need to manually update that field in the database. Sorry, I didn't think to mention that before.
> When I set up the LDAP login for that affiliation, it is using the
> samaccountname from LDAP, whatever is to the left of the @. I think I
> may also need to change this to use the LDAP user principal name which
> will have the full user@domain format which should match eppn.
LDAP authentication works differently. You'll want to leave it using samaccountname. I don't think it will work correctly using the full user@domain format for LDAP.
Josh
> Thanks.
>
> On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209
A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw=
=bPJ2
-----END PGP SIGNATURE-----
RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
Last question before I try again, there is no shibboleth affiliation in my VCL database. So should I be creating a new affiliation for shibboleth and populating the shibname field, or should I use the existing LDAP configured affiliation and populate its shibname field?
Thanks
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Wednesday, August 26, 2020 11:04 AM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Responses inline.
On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Thanks for this. I made the changes and there is no more unauthorized
> error message on the page. But after logging into the identity
> provider, when it gets redirected back to the main VCL directory, it
> did not login. Selecting the shibboleth affiliation just keeps
> redirecting back to that login selection page.
>
> But I think I am very close now to getting it to work.
>
> So from the eppn attribute, it will use whatever is after the @ to
> find a matching affiliation in VCL and it should log the user into that?
>
> I looked in the VCL database for the affiliation table and no
> affiliation has the shibname defined.
>
> Should I manually enter whatever is after the @ from eppn into the
> shibname field value?
Yes, you'll need to manually update that field in the database. Sorry, I didn't think to mention that before.
> When I set up the LDAP login for that affiliation, it is using the
> samaccountname from LDAP, whatever is to the left of the @. I think I
> may also need to change this to use the LDAP user principal name which
> will have the full user@domain format which should match eppn.
LDAP authentication works differently. You'll want to leave it using samaccountname. I don't think it will work correctly using the full user@domain format for LDAP.
Josh
> Thanks.
>
> On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209
A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw=
=bPJ2
-----END PGP SIGNATURE-----
Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
Responses inline.
On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Thanks for this. I made the changes and there is no more unauthorized error
> message on the page. But after logging into the identity provider, when it
> gets redirected back to the main VCL directory, it did not login. Selecting
> the shibboleth affiliation just keeps redirecting back to that login
> selection page.
>
> But I think I am very close now to getting it to work.
>
> So from the eppn attribute, it will use whatever is after the @ to find a
> matching affiliation in VCL and it should log the user into that?
>
> I looked in the VCL database for the affiliation table and no affiliation
> has the shibname defined.
>
> Should I manually enter whatever is after the @ from eppn into the shibname
> field value?
Yes, you'll need to manually update that field in the database. Sorry, I
didn't think to mention that before.
> When I set up the LDAP login for that affiliation, it is using the
> samaccountname from LDAP, whatever is to the left of the @. I think I may
> also need to change this to use the LDAP user principal name which will
> have the full user@domain format which should match eppn.
LDAP authentication works differently. You'll want to leave it using
samaccountname. I don't think it will work correctly using the full
user@domain format for LDAP.
Josh
> Thanks.
>
> On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209
A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw=
=bPJ2
-----END PGP SIGNATURE-----
[Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
Thanks for this. I made the changes and there is no more unauthorized error message on the page. But after logging into the identity provider, when it gets redirected back to the main VCL directory, it did not login. Selecting the shibboleth affiliation just keeps redirecting back to that login selection page.
But I think I am very close now to getting it to work.
So from the eppn attribute, it will use whatever is after the @ to find a matching affiliation in VCL and it should log the user into that?
I looked in the VCL database for the affiliation table and no affiliation has the shibname defined.
Should I manually enter whatever is after the @ from eppn into the shibname field value?
When I set up the LDAP login for that affiliation, it is using the samaccountname from LDAP, whatever is to the left of the @. I think I may also need to change this to use the LDAP user principal name which will have the full user@domain format which should match eppn.
Thanks.
On Aug 25, 2020 6:13 PM, Josh Thompson <jo...@ncsu.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
I'm always a little fuzzy on Shibboleth stuff but this is the best I can
remember.
I think at some point since that documentation page was written, the /shibauth
directory became unnecessary. Now, you need to create .htaccess in the main
vcl directory (where index.php and .ht-inc are) with the following content:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
This will cause httpd to pass Shibboleth data to VCL if the user is
authenticated to Shibboleth but not require them to be. If they are not
authenticated, they should be given the screen for selecting the
authentication method to use.
In .ht-inc/conf.php, you'll need to create an entry in $authMechs for logging
in with Shibboleth and craft a URL that will direct the user to an IdP with
the right information for being sent back after logging in. For example, we
have the following entry:
"NCSU Login" => array("type" => "redirect",
"URL" => "https://vcl.ncsu.edu/Shibboleth.sso/Login?
target=https://vcl.ncsu.edu/scheduling/&entityID=https://shib.ncsu.edu/idp/
shibboleth",
"affiliationid" => 0,
"help" => "Use NCSU Login if you are an NCSU user")
VCL then determines the affiliation of the user by matching the part of their
eppn after the @ to affiliation.shibname in the database.
You'll probably want to change the name for affiliation #3 to something other
than LDAP. The affiliation isn't how users are authenticated but who they are
associated with. A single installation of VCL can service multiple
institutions. We work with a number of other universities. Each university
has its own affiliation. However, some of them are part of the same
Shibboleth federation. So, they use the same authentication method.
Josh
On Tuesday, August 25, 2020 1:33:18 PM EDT MARTINEZ, ARIEL wrote:
> I enabled debug logging for shibboleth and I see the required attributes
> coming through from my identity provider correctly, as per
> /var/log/shibboleth/shibd.log. I think that the issue is with my setup of
> the shibboleth authentication for the directories. In the instructions for
> Shibboleth auth, it says:
>
> The first step is to configure Apache by protecting the /shibauth directory
> on your webserver. If the VCL is installed in the webserver root, the
> configuration will look like this:
>
> <Location /shibauth>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> require valid-user
> </Location>
>
> Where should this be going in a default VCL installation on CentOS 7?
>
>
> Just for the heck of it, I checked the VCL database affiliations table and
> there are only 3:
>
> 1: Local
> 2: Global
> 3: LDAP
>
> Not sure if this is correct. But in the conf.php file the Shibboleth
> configuration is set to affiliation ID 0.
>
> Thanks.
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Monday, August 24, 2020 11:53 AM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> I was able to set up a Shibboleth service provider and on the VCL login page
> after selecting my identity provider, I am able to log in there but when it
> comes back, I get the error:
>
> Unauthorized
> "This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required."
>
> The URL says it was redirected to \shibauth. I tried the instructions in the
> documentation to set up the test.php page to see if the attributes are
> being passed but that is not working. Is there any other way to determine
> if the information from the identity provider is being sent properly to
> VCL?
>
> Thanks,
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Tuesday, August 18, 2020 2:08 PM
> To: user@vcl.apache.org
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> I did some more research and I think that in order to get SSO through ADFS,
> Shibboleth needs to be set up first since Apache cannot natively
> authenticate against ADFS. I found a step by step article that seems to be
> the answer:
> http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hos
> ted-sites-2/ Once that is up, I intend to configure as per
> https://vcl.apache.org/docs/shibauth.html and see what happens.
>
> Thanks,
>
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Tuesday, August 18, 2020 1:12 PM
> To: user@vcl.apache.org
> Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0WNCQAKCRBX8tBw1209
A8fzAJ9Wnrkw3rNX6EbjT7W/RCYbbQgLtwCfdLwdT6RoLLYVPTMEU7bJyEo+9Do=
=VRhm
-----END PGP SIGNATURE-----
Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
I'm always a little fuzzy on Shibboleth stuff but this is the best I can
remember.
I think at some point since that documentation page was written, the /shibauth
directory became unnecessary. Now, you need to create .htaccess in the main
vcl directory (where index.php and .ht-inc are) with the following content:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
This will cause httpd to pass Shibboleth data to VCL if the user is
authenticated to Shibboleth but not require them to be. If they are not
authenticated, they should be given the screen for selecting the
authentication method to use.
In .ht-inc/conf.php, you'll need to create an entry in $authMechs for logging
in with Shibboleth and craft a URL that will direct the user to an IdP with
the right information for being sent back after logging in. For example, we
have the following entry:
"NCSU Login" => array("type" => "redirect",
"URL" => "https://vcl.ncsu.edu/Shibboleth.sso/Login?
target=https://vcl.ncsu.edu/scheduling/&entityID=https://shib.ncsu.edu/idp/
shibboleth",
"affiliationid" => 0,
"help" => "Use NCSU Login if you are an NCSU user")
VCL then determines the affiliation of the user by matching the part of their
eppn after the @ to affiliation.shibname in the database.
You'll probably want to change the name for affiliation #3 to something other
than LDAP. The affiliation isn't how users are authenticated but who they are
associated with. A single installation of VCL can service multiple
institutions. We work with a number of other universities. Each university
has its own affiliation. However, some of them are part of the same
Shibboleth federation. So, they use the same authentication method.
Josh
On Tuesday, August 25, 2020 1:33:18 PM EDT MARTINEZ, ARIEL wrote:
> I enabled debug logging for shibboleth and I see the required attributes
> coming through from my identity provider correctly, as per
> /var/log/shibboleth/shibd.log. I think that the issue is with my setup of
> the shibboleth authentication for the directories. In the instructions for
> Shibboleth auth, it says:
>
> The first step is to configure Apache by protecting the /shibauth directory
> on your webserver. If the VCL is installed in the webserver root, the
> configuration will look like this:
>
> <Location /shibauth>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> require valid-user
> </Location>
>
> Where should this be going in a default VCL installation on CentOS 7?
>
>
> Just for the heck of it, I checked the VCL database affiliations table and
> there are only 3:
>
> 1: Local
> 2: Global
> 3: LDAP
>
> Not sure if this is correct. But in the conf.php file the Shibboleth
> configuration is set to affiliation ID 0.
>
> Thanks.
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Monday, August 24, 2020 11:53 AM
> To: 'user@vcl.apache.org' <us...@vcl.apache.org>
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> I was able to set up a Shibboleth service provider and on the VCL login page
> after selecting my identity provider, I am able to log in there but when it
> comes back, I get the error:
>
> Unauthorized
> "This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required."
>
> The URL says it was redirected to \shibauth. I tried the instructions in the
> documentation to set up the test.php page to see if the attributes are
> being passed but that is not working. Is there any other way to determine
> if the information from the identity provider is being sent properly to
> VCL?
>
> Thanks,
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Tuesday, August 18, 2020 2:08 PM
> To: user@vcl.apache.org
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> I did some more research and I think that in order to get SSO through ADFS,
> Shibboleth needs to be set up first since Apache cannot natively
> authenticate against ADFS. I found a step by step article that seems to be
> the answer:
> http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hos
> ted-sites-2/ Once that is up, I intend to configure as per
> https://vcl.apache.org/docs/shibauth.html and see what happens.
>
> Thanks,
>
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Tuesday, August 18, 2020 1:12 PM
> To: user@vcl.apache.org
> Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0WNCQAKCRBX8tBw1209
A8fzAJ9Wnrkw3rNX6EbjT7W/RCYbbQgLtwCfdLwdT6RoLLYVPTMEU7bJyEo+9Do=
=VRhm
-----END PGP SIGNATURE-----
RE: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I enabled debug logging for shibboleth and I see the required attributes coming through from my identity provider correctly, as per /var/log/shibboleth/shibd.log. I think that the issue is with my setup of the shibboleth authentication for the directories. In the instructions for Shibboleth auth, it says:
The first step is to configure Apache by protecting the /shibauth directory on your webserver. If the VCL is installed in the webserver root, the configuration will look like this:
<Location /shibauth>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
Where should this be going in a default VCL installation on CentOS 7?
Just for the heck of it, I checked the VCL database affiliations table and there are only 3:
1: Local
2: Global
3: LDAP
Not sure if this is correct. But in the conf.php file the Shibboleth configuration is set to affiliation ID 0.
Thanks.
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Monday, August 24, 2020 11:53 AM
To: 'user@vcl.apache.org' <us...@vcl.apache.org>
Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
I was able to set up a Shibboleth service provider and on the VCL login page after selecting my identity provider, I am able to log in there but when it comes back, I get the error:
Unauthorized
"This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
The URL says it was redirected to \shibauth. I tried the instructions in the documentation to set up the test.php page to see if the attributes are being passed but that is not working. Is there any other way to determine if the information from the identity provider is being sent properly to VCL?
Thanks,
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Tuesday, August 18, 2020 2:08 PM
To: user@vcl.apache.org
Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
I did some more research and I think that in order to get SSO through ADFS, Shibboleth needs to be set up first since Apache cannot natively authenticate against ADFS. I found a step by step article that seems to be the answer: http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hosted-sites-2/ Once that is up, I intend to configure as per https://vcl.apache.org/docs/shibauth.html and see what happens.
Thanks,
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Tuesday, August 18, 2020 1:12 PM
To: user@vcl.apache.org
Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
VCL doesn't really directly interact with Shibboleth. Apache httpd is configured to work with Apache, and VCL looks for certain variables set in PHP by httpd when a user is authenticated with Shibboleth. So, you'll probably need to work with your httpd configuration to have it interact with ADFS correctly. I won't be much help there as other staff members have primarily taken care of that part with our installation.
Josh
On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Do you know if the VCL Shibboleth configuration generates a metadata
> file? I think that to set up SSO with ADFS, our ADFS will need to send
> the attributes to Shibboleth since that is what VCL will be expecting
> for authentication.
>
> Thanks,
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Monday, August 17, 2020 1:22 PM
> To: user@vcl.apache.org
> Subject: [EXTERNAL] Re: ADFS SSO Authentication
>
> WARNING: This email originated outside the Hostos campus. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe. Never provide login credentials, financial or
> sensitive details in response to an email or by clicking on a link. Report suspicious emails to:
> reportspam@hostos.cuny.edu
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209
A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM=
=ShAf
-----END PGP SIGNATURE-----
RE: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I was able to set up a Shibboleth service provider and on the VCL login page after selecting my identity provider, I am able to log in there but when it comes back, I get the error:
Unauthorized
"This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
The URL says it was redirected to \shibauth. I tried the instructions in the documentation to set up the test.php page to see if the attributes are being passed but that is not working. Is there any other way to determine if the information from the identity provider is being sent properly to VCL?
Thanks,
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Tuesday, August 18, 2020 2:08 PM
To: user@vcl.apache.org
Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
I did some more research and I think that in order to get SSO through ADFS, Shibboleth needs to be set up first since Apache cannot natively authenticate against ADFS. I found a step by step article that seems to be the answer: http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hosted-sites-2/ Once that is up, I intend to configure as per https://vcl.apache.org/docs/shibauth.html and see what happens.
Thanks,
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Tuesday, August 18, 2020 1:12 PM
To: user@vcl.apache.org
Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
VCL doesn't really directly interact with Shibboleth. Apache httpd is configured to work with Apache, and VCL looks for certain variables set in PHP by httpd when a user is authenticated with Shibboleth. So, you'll probably need to work with your httpd configuration to have it interact with ADFS correctly. I won't be much help there as other staff members have primarily taken care of that part with our installation.
Josh
On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Do you know if the VCL Shibboleth configuration generates a metadata
> file? I think that to set up SSO with ADFS, our ADFS will need to send
> the attributes to Shibboleth since that is what VCL will be expecting
> for authentication.
>
> Thanks,
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Monday, August 17, 2020 1:22 PM
> To: user@vcl.apache.org
> Subject: [EXTERNAL] Re: ADFS SSO Authentication
>
> WARNING: This email originated outside the Hostos campus. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe. Never provide login credentials, financial or
> sensitive details in response to an email or by clicking on a link. Report suspicious emails to:
> reportspam@hostos.cuny.edu
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209
A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM=
=ShAf
-----END PGP SIGNATURE-----
RE: [EXTERNAL] Re: ADFS SSO Authentication
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Hi Josh,
I did some more research and I think that in order to get SSO through ADFS, Shibboleth needs to be set up first since Apache cannot natively authenticate against ADFS. I found a step by step article that seems to be the answer: http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hosted-sites-2/ Once that is up, I intend to configure as per https://vcl.apache.org/docs/shibauth.html and see what happens.
Thanks,
-----Original Message-----
From: Josh Thompson <jo...@ncsu.edu>
Sent: Tuesday, August 18, 2020 1:12 PM
To: user@vcl.apache.org
Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
VCL doesn't really directly interact with Shibboleth. Apache httpd is configured to work with Apache, and VCL looks for certain variables set in PHP by httpd when a user is authenticated with Shibboleth. So, you'll probably need to work with your httpd configuration to have it interact with ADFS correctly. I won't be much help there as other staff members have primarily taken care of that part with our installation.
Josh
On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Do you know if the VCL Shibboleth configuration generates a metadata file? I
> think that to set up SSO with ADFS, our ADFS will need to send the
> attributes to Shibboleth since that is what VCL will be expecting for
> authentication.
>
> Thanks,
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Monday, August 17, 2020 1:22 PM
> To: user@vcl.apache.org
> Subject: [EXTERNAL] Re: ADFS SSO Authentication
>
> WARNING: This email originated outside the Hostos campus. Do not click links
> or open attachments unless you recognize the sender and know the content is
> safe. Never provide login credentials, financial or sensitive details in
> response to an email or by clicking on a link. Report suspicious emails to:
> reportspam@hostos.cuny.edu
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209
A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM=
=ShAf
-----END PGP SIGNATURE-----
Re: [EXTERNAL] Re: ADFS SSO Authentication
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
VCL doesn't really directly interact with Shibboleth. Apache httpd is
configured to work with Apache, and VCL looks for certain variables set in PHP
by httpd when a user is authenticated with Shibboleth. So, you'll probably
need to work with your httpd configuration to have it interact with ADFS
correctly. I won't be much help there as other staff members have primarily
taken care of that part with our installation.
Josh
On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Do you know if the VCL Shibboleth configuration generates a metadata file? I
> think that to set up SSO with ADFS, our ADFS will need to send the
> attributes to Shibboleth since that is what VCL will be expecting for
> authentication.
>
> Thanks,
>
> -----Original Message-----
> From: Josh Thompson <jo...@ncsu.edu>
> Sent: Monday, August 17, 2020 1:22 PM
> To: user@vcl.apache.org
> Subject: [EXTERNAL] Re: ADFS SSO Authentication
>
> WARNING: This email originated outside the Hostos campus. Do not click links
> or open attachments unless you recognize the sender and know the content is
> safe. Never provide login credentials, financial or sensitive details in
> response to an email or by clicking on a link. Report suspicious emails to:
> reportspam@hostos.cuny.edu
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209
A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM=
=ShAf
-----END PGP SIGNATURE-----