You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@vcl.apache.org by Evelio Quiros <ev...@fiu.edu> on 2012/08/01 19:06:34 UTC

Shibboleth user group creation and managment

Hello All,

We just upgraded our 2.2.1 installation to 2.3.

Before update, students were able to login and be put into a
"shib-student" group.
VCL would have created the group on first login.
But after the upgrade, students can still login, but the VCL did not
create the shib-student group.

I added the group manually to the database as a federated group, but
student logins are not being put into it.

Staff can login using Shibboleth, and they are put into the shib-staff
group ok.

Did something change in the way VCL handles Shibboleth with the new
version ?
Did I forget to copy over a config from the old site ?

Thanks,
Al Q
FIU

Re: Shibboleth user group creation and managment - Solved

Posted by Josh Thompson <jo...@ncsu.edu>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Al,

What did you update in shibauth/index.php?  My knowledge of Shibboleth is 
somewhat limited, but I would not have thought it needed any changes, just a 
change in how the shibboleth mappings are configured in 
/etc/shibboleth/attribute-map.xml.

Josh

On Thursday, August 02, 2012 12:37:04 PM Evelio Quiros wrote:
> Hello Josh,
> 
> Yes, that was the problem.
> I updated index.php in the shibauth directory, and mapped the affiliation
> attributes to the database.
> Now it works again. Thanks for your help.
> 
> Al Quiros
> Florida International University
> 
> On 8/1/12 4:36 PM, "Josh Thompson" <jo...@ncsu.edu> wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Al,
> >
> >There were not many changes to the code related to Shibboleth. It sounds
> >like
> >Shibboleth may not be passing the correct affiliation information for the
> >student user to the VCL web code.  You can create a file in vcl/shibauth
> >named
> >shibdata.php with the following in it to see what is getting passed to
> >the VCL
> >code by Shibboleth:
> >
> ><?php
> >print "<pre>";
> >print_r($_SERVER);
> >print "</pre>";
> >}
> >?>
> >
> >Then, open https://your.vcl.site/vcl/shibauth/shibdata.php with the
> >problematic user logged in to see if anything is set for [affiliation].
> >If
> >you do not, or the field is just an empty string, then VCL is not getting
> >the
> >data from Shibboleth.
> >
> >Josh
> >
> >On Wednesday, August 01, 2012 5:06:34 PM Evelio Quiros wrote:
> >> Hello All,
> >> 
> >> We just upgraded our 2.2.1 installation to 2.3.
> >> 
> >> Before update, students were able to login and be put into a
> >> "shib-student" group.
> >> VCL would have created the group on first login.
> >> But after the upgrade, students can still login, but the VCL did not
> >> create the shib-student group.
> >> 
> >> I added the group manually to the database as a federated group, but
> >> student logins are not being put into it.
> >> 
> >> Staff can login using Shibboleth, and they are put into the shib-staff
> >> group ok.
> >> 
> >> Did something change in the way VCL handles Shibboleth with the new
> >> version ?
> >> Did I forget to copy over a config from the old site ?
> >> 
> >> Thanks,
> >> Al Q
> >> FIU
> >
> >- --
> >- -------------------------------
> >Josh Thompson
> >VCL Developer
> >North Carolina State University
> >
> >my GPG/PGP key can be found at pgp.mit.edu
> >
> >All electronic mail messages in connection with State business which
> >are sent to or received by this account are subject to the NC Public
> >Records Law and may be disclosed to third parties.
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v2.0.17 (GNU/Linux)
> >
> >iEYEARECAAYFAlAZk3AACgkQV/LQcNdtPQMoMACeL/QBd0AaMS8la8cq059ClQ5E
> >9O4AnRZDmCclzYfzJNPY7kUJVBxAkaHJ
> >=XIE6
> >-----END PGP SIGNATURE-----
- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAlAadrIACgkQV/LQcNdtPQOFPQCbB9O1VkvOiG9UjJQCrwnxthr4
NNwAn2U8ZxLtm1Zt0+hEjExbmbPJTP1a
=EB6H
-----END PGP SIGNATURE-----

Re: Shibboleth user group creation and managment - Solved

Posted by Evelio Quiros <ev...@fiu.edu>.

Hello Josh,

Yes, that was the problem.
I updated index.php in the shibauth directory, and mapped the affiliation
attributes to the database.
Now it works again. Thanks for your help.

Al Quiros
Florida International University


On 8/1/12 4:36 PM, "Josh Thompson" <jo...@ncsu.edu> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Al,
>
>There were not many changes to the code related to Shibboleth. It sounds
>like 
>Shibboleth may not be passing the correct affiliation information for the
>student user to the VCL web code.  You can create a file in vcl/shibauth
>named 
>shibdata.php with the following in it to see what is getting passed to
>the VCL 
>code by Shibboleth:
>
><?php
>print "<pre>";
>print_r($_SERVER);
>print "</pre>";
>}
>?>
>
>Then, open https://your.vcl.site/vcl/shibauth/shibdata.php with the
>problematic user logged in to see if anything is set for [affiliation].
>If 
>you do not, or the field is just an empty string, then VCL is not getting
>the 
>data from Shibboleth.
>
>Josh
>
>On Wednesday, August 01, 2012 5:06:34 PM Evelio Quiros wrote:
>> Hello All,
>> 
>> We just upgraded our 2.2.1 installation to 2.3.
>> 
>> Before update, students were able to login and be put into a
>> "shib-student" group.
>> VCL would have created the group on first login.
>> But after the upgrade, students can still login, but the VCL did not
>> create the shib-student group.
>> 
>> I added the group manually to the database as a federated group, but
>> student logins are not being put into it.
>> 
>> Staff can login using Shibboleth, and they are put into the shib-staff
>> group ok.
>> 
>> Did something change in the way VCL handles Shibboleth with the new
>> version ?
>> Did I forget to copy over a config from the old site ?
>> 
>> Thanks,
>> Al Q
>> FIU
>- -- 
>- -------------------------------
>Josh Thompson
>VCL Developer
>North Carolina State University
>
>my GPG/PGP key can be found at pgp.mit.edu
>
>All electronic mail messages in connection with State business which
>are sent to or received by this account are subject to the NC Public
>Records Law and may be disclosed to third parties.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.17 (GNU/Linux)
>
>iEYEARECAAYFAlAZk3AACgkQV/LQcNdtPQMoMACeL/QBd0AaMS8la8cq059ClQ5E
>9O4AnRZDmCclzYfzJNPY7kUJVBxAkaHJ
>=XIE6
>-----END PGP SIGNATURE-----
>

Re: Shibboleth user group creation and managment

Posted by Josh Thompson <jo...@ncsu.edu>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Al,

There were not many changes to the code related to Shibboleth. It sounds like 
Shibboleth may not be passing the correct affiliation information for the 
student user to the VCL web code.  You can create a file in vcl/shibauth named 
shibdata.php with the following in it to see what is getting passed to the VCL 
code by Shibboleth:

<?php
print "<pre>";
print_r($_SERVER);
print "</pre>";
}
?>

Then, open https://your.vcl.site/vcl/shibauth/shibdata.php with the 
problematic user logged in to see if anything is set for [affiliation].  If 
you do not, or the field is just an empty string, then VCL is not getting the 
data from Shibboleth.

Josh

On Wednesday, August 01, 2012 5:06:34 PM Evelio Quiros wrote:
> Hello All,
> 
> We just upgraded our 2.2.1 installation to 2.3.
> 
> Before update, students were able to login and be put into a
> "shib-student" group.
> VCL would have created the group on first login.
> But after the upgrade, students can still login, but the VCL did not
> create the shib-student group.
> 
> I added the group manually to the database as a federated group, but
> student logins are not being put into it.
> 
> Staff can login using Shibboleth, and they are put into the shib-staff
> group ok.
> 
> Did something change in the way VCL handles Shibboleth with the new
> version ?
> Did I forget to copy over a config from the old site ?
> 
> Thanks,
> Al Q
> FIU
- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAlAZk3AACgkQV/LQcNdtPQMoMACeL/QBd0AaMS8la8cq059ClQ5E
9O4AnRZDmCclzYfzJNPY7kUJVBxAkaHJ
=XIE6
-----END PGP SIGNATURE-----

FW: Shibboleth user group creation and managment

Posted by Evelio Quiros <ev...@fiu.edu>.

>Hello All,
>
>We just upgraded our 2.2.1 installation to 2.3.
>
>Before update, students were able to login and be put into a
>"shib-student" group.
>VCL would have created the group on first login.
>But after the upgrade, students can still login, but the VCL did not
>create the shib-student group.
>
>I added the group manually to the database as a federated group, but
>student logins are not being put into it.
>
>Staff can login using Shibboleth, and they are put into the shib-staff
>group ok.
>
>Did something change in the way VCL handles Shibboleth with the new
>version ?
>Did I forget to copy over a config from the old site ?
>
>Thanks,
>Al Q
>FIU
>