You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@vcl.apache.org by Yannick Charbonneau <yc...@uottawa.ca> on 2011/10/11 21:35:06 UTC
VCL Shibboleth
Hi All,
We have a testing vcl implementation up, we are currently trying to get it to authenticate using our shibboleth idp (simple, single idp).
I'm at the point now where I can pick Shibboleth, get redirected to our idp, but once I log in, I get redirected to the home of vcl as opposed to /vcl/shibbauth.
I manage to get to the right place if I play around with the actionurl, but then I always get;
You have attempted to log in to VCL using a Shibboleth
Identity Provider that VCL has not been configured to
work with. VCL administrators have been notified of the
problem.
What should I put in the URL field, I tried (without success);
https://myvcl.site.com/Shibboleth.sso/Login (this one gets me back to the vcl home after successful logins, but NOT authenticated)
https://my.idp.site/idp/Login.jsp This one gives me the error above
Thank you,
Sorry if this is NOT the right place.
Regards
Yanik
Re: VCL Shibboleth
Posted by Aaron Coburn <ac...@amherst.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You may also want to check the attribute-map.xml configuration on your SP.
eppn should be mapped in the default configuration, but some of the others (displayName, etc) may not be.
Aaron
On Oct 11, 2011, at 3:58 PM, James O'Dell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> To check your IdP's release policy
> run aacli.sh on the IdP to see what attributes
> your IdP is releasing. Then adjust attribute-filter.xml
> if you need to
>
> __Jim
>
> On 10/11/2011 12:53 PM, Yannick Charbonneau wrote:
>> Thanks for the quick reply
>>
>>
>>
>> Figured the target right after I sent the email, I?ll add entidyid.
>>
>>
>>
>> I also think my idp is NOT returning all required values eppn,?,?,?
>>
>>
>>
>> Thanks again.
>>
>>
>>
>> Yanik
>>
>>
>>
>> *From:*Aaron Coburn [mailto:acoburn@amherst.edu]
>> *Sent:* Tuesday, October 11, 2011 3:51 PM
>> *To:* vcl-user@incubator.apache.org
>> *Subject:* Re: VCL Shibboleth
>>
>>
>>
>> Hello, Yanik,
>>
>> It seems that you are forgetting the "target" attribute in the URL.
>>
>> Your configuration in conf.php should look something like this:
>>
>>
>>
>> $authMechs = array(
>>
>> "Affiliation 1" => array("type" => "redirect"
>>
>>
>> "URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID={entityID for
>> the IdP}"
>>
>>
>> "affiliationid" => 0);
>>
>> ...
>>
>> );
>>
>>
>>
>> It is also helpful to use the entityID attribute (depending on your SP
>> configuration), especially if there are multiple IdPs involved. That
>> value may look something like this:
>> entityID=https%3A%2F%2Fmyidp.site.com%2Fidp%2Fshibboleth
>>
>>
>>
>> Best regards,
>>
>> Aaron
>>
>>
>>
>> --
>>
>> Aaron Coburn
>>
>> Systems Administrator and Programmer
>>
>> Academic Technology Services, Amherst College
>>
>> (413) 542-5451 acoburn@amherst.edu <ma...@amherst.edu>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Oct 11, 2011, at 3:35 PM, Yannick Charbonneau wrote:
>>
>>
>>
>> Hi All,
>>
>>
>>
>> We have a testing vcl implementation up, we are currently trying to get
>> it to authenticate using our shibboleth idp (simple, single idp).
>>
>>
>>
>> I?m at the point now where I can pick Shibboleth, get redirected to our
>> idp, but once I log in, I get redirected to the home of vcl as opposed
>> to /vcl/shibbauth.
>>
>>
>>
>> I manage to get to the right place if I play around with the actionurl,
>> but then I always get;
>>
>>
>>
>> You have attempted to log in to VCL using a Shibboleth
>> Identity Provider that VCL has not been configured to
>> work with. VCL administrators have been notified of the
>> problem.
>>
>>
>>
>> What should I put in the URL field, I tried (without success);
>>
>>
>>
>> https://myvcl.site.com/Shibboleth.sso/Login (this one gets me back to
>> the vcl home after successful logins, but NOT authenticated)
>>
>> https://my.idp.site/idp/Login.jsp This one gives me the error above
>>
>>
>>
>> Thank you,
>>
>>
>>
>> Sorry if this is NOT the right place.
>>
>>
>>
>> Regards
>>
>>
>>
>> Yanik
>>
>>
>>
>>
>>
>
>
> - --
> Jim O'Dell
> Network Analyst
> California State University Fullerton
> Email: jodell@fullerton.edu
> Phone: (657) 278-2256
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6Un/sACgkQREVHAOnXPYREEACcDAQbTpCtn7A0Vn++ox37Uhut
> fnMAnioyswa/CCMMazqxJ/GY3jiC1Do1
> =Uf7Y
> -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJOlKDeAAoJEEl+dorSLgxDdyUH/3mGST9gM9gpmuqOVsY20wPc
uxYSe6T/mkrVZ/LXK6hWF70OsWCf70WPOvjWF8ORBnUZQf9XT90CKq5SVbcHV1mh
AUsuvtZ+SnA4XTfJ33EuxZQ7O9vEZd5rX5A6uYx2y39v/GYemDVDuX0RB2vy1pLB
K3V13Wy/7VzIfkVesKcPWPPhAKOOUaRqevQ879S92RPt8wvelFfaqtpMbTk++VQ8
k0TLTh9GWvF3hPiKxLbQ2W6zuheeJsTpPyC55Stn0SP7jU7XOSbuV5sUfGch3qM/
46dsNt6/wojNnOx97sLBLeEVz1UMqXL8GOBWduQVTg7qZLQpC3emt1bFUt9iFIE=
=oZmJ
-----END PGP SIGNATURE-----
Re: VCL Shibboleth
Posted by James O'Dell <jo...@fullerton.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To check your IdP's release policy
run aacli.sh on the IdP to see what attributes
your IdP is releasing. Then adjust attribute-filter.xml
if you need to
__Jim
On 10/11/2011 12:53 PM, Yannick Charbonneau wrote:
> Thanks for the quick reply
>
>
>
> Figured the target right after I sent the email, I?ll add entidyid.
>
>
>
> I also think my idp is NOT returning all required values eppn,?,?,?
>
>
>
> Thanks again.
>
>
>
> Yanik
>
>
>
> *From:*Aaron Coburn [mailto:acoburn@amherst.edu]
> *Sent:* Tuesday, October 11, 2011 3:51 PM
> *To:* vcl-user@incubator.apache.org
> *Subject:* Re: VCL Shibboleth
>
>
>
> Hello, Yanik,
>
> It seems that you are forgetting the "target" attribute in the URL.
>
> Your configuration in conf.php should look something like this:
>
>
>
> $authMechs = array(
>
> "Affiliation 1" => array("type" => "redirect"
>
>
> "URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID={entityID for
> the IdP}"
>
>
> "affiliationid" => 0);
>
> ...
>
> );
>
>
>
> It is also helpful to use the entityID attribute (depending on your SP
> configuration), especially if there are multiple IdPs involved. That
> value may look something like this:
> entityID=https%3A%2F%2Fmyidp.site.com%2Fidp%2Fshibboleth
>
>
>
> Best regards,
>
> Aaron
>
>
>
> --
>
> Aaron Coburn
>
> Systems Administrator and Programmer
>
> Academic Technology Services, Amherst College
>
> (413) 542-5451 acoburn@amherst.edu <ma...@amherst.edu>
>
>
>
>
>
>
>
>
>
> On Oct 11, 2011, at 3:35 PM, Yannick Charbonneau wrote:
>
>
>
> Hi All,
>
>
>
> We have a testing vcl implementation up, we are currently trying to get
> it to authenticate using our shibboleth idp (simple, single idp).
>
>
>
> I?m at the point now where I can pick Shibboleth, get redirected to our
> idp, but once I log in, I get redirected to the home of vcl as opposed
> to /vcl/shibbauth.
>
>
>
> I manage to get to the right place if I play around with the actionurl,
> but then I always get;
>
>
>
> You have attempted to log in to VCL using a Shibboleth
> Identity Provider that VCL has not been configured to
> work with. VCL administrators have been notified of the
> problem.
>
>
>
> What should I put in the URL field, I tried (without success);
>
>
>
> https://myvcl.site.com/Shibboleth.sso/Login (this one gets me back to
> the vcl home after successful logins, but NOT authenticated)
>
> https://my.idp.site/idp/Login.jsp This one gives me the error above
>
>
>
> Thank you,
>
>
>
> Sorry if this is NOT the right place.
>
>
>
> Regards
>
>
>
> Yanik
>
>
>
>
>
- --
Jim O'Dell
Network Analyst
California State University Fullerton
Email: jodell@fullerton.edu
Phone: (657) 278-2256
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6Un/sACgkQREVHAOnXPYREEACcDAQbTpCtn7A0Vn++ox37Uhut
fnMAnioyswa/CCMMazqxJ/GY3jiC1Do1
=Uf7Y
-----END PGP SIGNATURE-----
RE: VCL Shibboleth
Posted by Yannick Charbonneau <yc...@uottawa.ca>.
Thanks for the quick reply
Figured the target right after I sent the email, I'll add entidyid.
I also think my idp is NOT returning all required values eppn,...,...,...
Thanks again.
Yanik
From: Aaron Coburn [mailto:acoburn@amherst.edu]
Sent: Tuesday, October 11, 2011 3:51 PM
To: vcl-user@incubator.apache.org
Subject: Re: VCL Shibboleth
Hello, Yanik,
It seems that you are forgetting the "target" attribute in the URL.
Your configuration in conf.php should look something like this:
$authMechs = array(
"Affiliation 1" => array("type" => "redirect"
"URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID={entityID for the IdP}"
"affiliationid" => 0);
...
);
It is also helpful to use the entityID attribute (depending on your SP configuration), especially if there are multiple IdPs involved. That value may look something like this: entityID=https%3A%2F%2Fmyidp.site.com%2Fidp%2Fshibboleth
Best regards,
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
(413) 542-5451 acoburn@amherst.edu<ma...@amherst.edu>
On Oct 11, 2011, at 3:35 PM, Yannick Charbonneau wrote:
Hi All,
We have a testing vcl implementation up, we are currently trying to get it to authenticate using our shibboleth idp (simple, single idp).
I'm at the point now where I can pick Shibboleth, get redirected to our idp, but once I log in, I get redirected to the home of vcl as opposed to /vcl/shibbauth.
I manage to get to the right place if I play around with the actionurl, but then I always get;
You have attempted to log in to VCL using a Shibboleth
Identity Provider that VCL has not been configured to
work with. VCL administrators have been notified of the
problem.
What should I put in the URL field, I tried (without success);
https://myvcl.site.com/Shibboleth.sso/Login (this one gets me back to the vcl home after successful logins, but NOT authenticated)
https://my.idp.site/idp/Login.jsp This one gives me the error above
Thank you,
Sorry if this is NOT the right place.
Regards
Yanik
Re: VCL Shibboleth
Posted by Aaron Coburn <ac...@amherst.edu>.
Hello, Yanik,
It seems that you are forgetting the "target" attribute in the URL.
Your configuration in conf.php should look something like this:
$authMechs = array(
"Affiliation 1" => array("type" => "redirect"
"URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID={entityID for the IdP}"
"affiliationid" => 0);
...
);
It is also helpful to use the entityID attribute (depending on your SP configuration), especially if there are multiple IdPs involved. That value may look something like this: entityID=https%3A%2F%2Fmyidp.site.com%2Fidp%2Fshibboleth
Best regards,
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
(413) 542-5451 acoburn@amherst.edu
On Oct 11, 2011, at 3:35 PM, Yannick Charbonneau wrote:
> Hi All,
>
> We have a testing vcl implementation up, we are currently trying to get it to authenticate using our shibboleth idp (simple, single idp).
>
> I’m at the point now where I can pick Shibboleth, get redirected to our idp, but once I log in, I get redirected to the home of vcl as opposed to /vcl/shibbauth.
>
> I manage to get to the right place if I play around with the actionurl, but then I always get;
>
> You have attempted to log in to VCL using a Shibboleth
> Identity Provider that VCL has not been configured to
> work with. VCL administrators have been notified of the
> problem.
>
> What should I put in the URL field, I tried (without success);
>
> https://myvcl.site.com/Shibboleth.sso/Login (this one gets me back to the vcl home after successful logins, but NOT authenticated)
> https://my.idp.site/idp/Login.jsp This one gives me the error above
>
> Thank you,
>
> Sorry if this is NOT the right place.
>
> Regards
>
> Yanik
>