[users@httpd] FW: What triggers AUTH_TYPE to show up?

[Tommy Peterson <To...@xpandcorp.com>]

From: Tommy Peterson
Sent: Tuesday, June 07, 2011 4:22 PM
To: 'users@httpd.apache.org'
Subject: What triggers AUTH_TYPE to show up?

If I have the following Location directive and in the headers the Auth Type shows up accordingly it says [AUTH_TYPE] => shibboleth
<Location /drupal>
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  Require shibboleth
</Location>

What triggers the "AUTH_TYPE" header variable to show up?

I have another <Location> directive for another directory. It is locked down with the log in prompt as above and the headers show up the problem is that that AUTH_TYPE=> shibboleth doesn't show up. It is the only difference. I know it authenticated as the header also shows the attributes.

So I am confused as to why this one variable (AUTH_TYPE) isn't showing up.

And there is not "AUTH TYPE not set " in the log or anything else referencing the AUTH TYPE.

Any thoughts?

Thanks.

________________________________________________________________________________________________________________________________________________

OK. Attached are my httpd.conf file, a related shibd.conf file that is pulled into the httpd.conf via the conf.d directory that is read in the httpd.conf file, and an .htaccess file that sites in my main application directory (/Drupal).

Basically the application hits index.php every time a page is requested/loaded (ie a link clicked). And it grabs the query string "?q=something" and uses mod rewrite to rewrite the URL (which is a .htaccess file in the same directory as index.php--attached). Somehow (that I have yet to figure out) the page is actually redirected . . . I think. It ahs been pointed out that rewrite doesn't mean redirect.

Anyway, what I want to happen is that every time HTTPD gets a request for let say http://rt-hvcp1-test.hvcp.local/findwork the user is forced to authenticate as indicated below:
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  Require shibboleth

I put
<LocationMatch "findwork" >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
Require shibboleth
</LocationMatch>
In the shibd.conf file as you can see.
Right now, with the <Location> directives in shibd.conf I can get the shibboleth login form to pop up. The user authenticates successfully against a backend database and the web site page  requested shows up. The headers show the session has been set. But I see no AUTH_TYPE=>shibboleth set. And the user is not logged in.  If they click on another link on the site the session disappears from the headers.

However,  if I have
<Location /drupal>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
Require shibboleth
</Location>

And access http://rt-hvcp1-test.hvcp.local/drupal (which is my main application directory in htdocs ) I get the pop up window, log in, authenticate, and am returned to my destination page logged in. And if I click around the site I am still logged in. The headers show the session as long as I don't close the browser or clear the cache. So locking down the entire site works just fine.

But I do not want to force authentication to get to the site-any of it. I want to force this authentication on sub-sections . . . like the /Drupal/findwork section.

It just won't work with what I have tied so far.

Can someone help me understand how to accomplish this with the httpd.conf,shibd.conf, and the .htaccess files? Or does this involve something else all together?

Thanks.


This is a header from  the <Location /Drupal>

Array ( [OPENSSL_CONF] => ../../conf/openssl.cnf [SSLEAY_CONF] => ../../conf/openssl.cnf [Shib-Application-ID] => default [Shib-Session-ID] => _1c672d35c00b5005f49f6000fb382ada [Shib-Identity-Provider] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [Shib-Authentication-Instant] => 2011-06-08T19:03:41.443Z [Shib-Authentication-Method] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [Shib-AuthnContext-Class] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [Shib-Session-Index] => bbbbde5abb538fadd5fd1bf06dc72dd56abf099606fdf70a58fb7e67cb41f43a [address] => 12354 Main Street Suite 330 [city] => Sterling [country] => US [cphone] => 4085551212 [fname] => Tommy [lname] => Peterson [mail] => blah@something.com[name] => tommytest [pass] => e06b00d698892623960f9d46efb29533 [transientID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789 [wphone] => 4085551212 [HTTP_HOST] => rt-hvcp1-test.hvcp.local [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7 [HTTP_KEEP_ALIVE] => 115 [HTTP_CONNECTION] => keep-alive [HTTP_REFERER] => http://rt-hvcp1-test.hvcp.local/drupal/findwork [HTTP_COOKIE] => _shibsession_64656661756c7468747470733a2f2f72742d68766370312d746573742e687663702e6c6f63616c2f6d6f6f646c65=_1c672d35c00b5005f49f6000fb382ada; SESS492c5bf24be32ee326896d01b447e0b8=03dstpumo80nb88712b7kaq434; has_js=1 [HTTP_IF_MODIFIED_SINCE] => Wed, 08 Jun 2011 19:03:41 GMT [HTTP_SHIB_SESSION_ID] => _1c672d35c00b5005f49f6000fb382ada [HTTP_SHIB_SESSION_INDEX] => bbbbde5abb538fadd5fd1bf06dc72dd56abf099606fdf70a58fb7e67cb41f43a [HTTP_SHIB_IDENTITY_PROVIDER] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [HTTP_SHIB_AUTHENTICATION_METHOD] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHENTICATION_INSTANT] => 2011-06-08T19:03:41.443Z [HTTP_SHIB_AUTHNCONTEXT_CLASS] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHNCONTEXT_DECL] => [HTTP_SHIB_ASSERTION_COUNT] => [HTTP_NAME] => tommytest [HTTP_PASS] => e06b00d698892623960f9d46efb29533 [HTTP_FNAME] => Tommy [HTTP_LNAME] => Peterson [HTTP_ADDRESS] => 12354 Main Street Suite 330 [HTTP_CITY] => Sterling [HTTP_COUNTRY] => US [HTTP_DESCRIPTION] => [HTTP_WEBPAGE] => [HTTP_WPHONE] => 4085551212 [HTTP_CPHONE] => 4085551212 [HTTP_MAIL] => blah@something.com[HTTP_LANGUAGE] => [HTTP_UNITID] => [HTTP_TRANSIENTID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789 [HTTP_PERSISTENTID] => [HTTP_SHIB_APPLICATION_ID] => default [HTTP_REMOTE_USER] => [PATH] => /sbin:/bin:/usr/sbin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (Red Hat) Server at rt-hvcp1-test.hvcp.local Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (Red Hat) [SERVER_NAME] => rt-hvcp1-test.hvcp.local [SERVER_ADDR] => 172.16.1.84 [SERVER_PORT] => 80 [REMOTE_ADDR] => 172.16.1.15 [DOCUMENT_ROOT] => /var/www/html [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/drupal/index.php [REMOTE_PORT] => 16766 [AUTH_TYPE] => shibboleth [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /drupal/ [SCRIPT_NAME] => /drupal/index.php [PHP_SELF] => /drupal/index.php [REQUEST_TIME] => 1307560048 )



This is a header from the <LocationMatch "findwork">

Array ( [REDIRECT_OPENSSL_CONF] => ../../conf/openssl.cnf [REDIRECT_SSLEAY_CONF] => ../../conf/openssl.cnf [REDIRECT_Shib-Application-ID] => default [REDIRECT_Shib-Session-ID] => _6921dbc24eb23746ccb4b06b85705741 [REDIRECT_Shib-Identity-Provider] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [REDIRECT_Shib-Authentication-Instant] => 2011-06-08T19:14:24.786Z [REDIRECT_Shib-Authentication-Method] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [REDIRECT_Shib-AuthnContext-Class] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [REDIRECT_Shib-Session-Index] => b69390b5d5087a807247c7732efb62b3fe8437b4090040646259e7d5fc9f1ff1 [REDIRECT_address] => 12354 Main Street Suite 330 [REDIRECT_city] => Sterling [REDIRECT_country] => US [REDIRECT_cphone] => 4085551212 [REDIRECT_fname] => Tommy [REDIRECT_lname] => Peterson [REDIRECT_mail] => blah@something.com[REDIRECT_name] => tommytest [REDIRECT_pass] => e06b00d698892623960f9d46efb29533 [REDIRECT_transientID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789 [REDIRECT_wphone] => 4085551212 [REDIRECT_STATUS] => 200 [OPENSSL_CONF] => ../../conf/openssl.cnf [SSLEAY_CONF] => ../../conf/openssl.cnf [HTTP_HOST] => rt-hvcp1-test.hvcp.local [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7 [HTTP_KEEP_ALIVE] => 115 [HTTP_CONNECTION] => keep-alive [HTTP_COOKIE] => SESS492c5bf24be32ee326896d01b447e0b8=d2bg00lug244k3lsfs0vqmdeu5; has_js=1; _shibsession_64656661756c7468747470733a2f2f72742d68766370312d746573742e687663702e6c6f63616c2f6d6f6f646c65=_6921dbc24eb23746ccb4b06b85705741 [HTTP_SHIB_SESSION_ID] => _6921dbc24eb23746ccb4b06b85705741 [HTTP_SHIB_SESSION_INDEX] => b69390b5d5087a807247c7732efb62b3fe8437b4090040646259e7d5fc9f1ff1 [HTTP_SHIB_IDENTITY_PROVIDER] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [HTTP_SHIB_AUTHENTICATION_METHOD] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHENTICATION_INSTANT] => 2011-06-08T19:14:24.786Z [HTTP_SHIB_AUTHNCONTEXT_CLASS] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHNCONTEXT_DECL] => [HTTP_SHIB_ASSERTION_COUNT] => [HTTP_NAME] => tommytest [HTTP_PASS] => e06b00d698892623960f9d46efb29533 [HTTP_FNAME] => Tommy [HTTP_LNAME] => Peterson [HTTP_ADDRESS] => 12354 Main Street Suite 330 [HTTP_CITY] => Sterling [HTTP_COUNTRY] => US [HTTP_DESCRIPTION] => [HTTP_WEBPAGE] => [HTTP_WPHONE] => 4085551212 [HTTP_CPHONE] => 4085551212 [HTTP_MAIL] => blah@blah.com [HTTP_LANGUAGE] => [HTTP_UNITID] => [HTTP_TRANSIENTID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789 [HTTP_PERSISTENTID] => [HTTP_SHIB_APPLICATION_ID] => default [HTTP_REMOTE_USER] => [PATH] => /sbin:/bin:/usr/sbin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (Red Hat) Server at rt-hvcp1-test.hvcp.local Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (Red Hat) [SERVER_NAME] => rt-hvcp1-test.hvcp.local [SERVER_ADDR] => 172.16.1.84 [SERVER_PORT] => 80 [REMOTE_ADDR] => 172.16.1.15 [DOCUMENT_ROOT] => /var/www/html [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/drupal/index.php [REMOTE_PORT] => 17010 [REDIRECT_QUERY_STRING] => q=findwork [REDIRECT_URL] => /drupal/findwork [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => q=findwork [REQUEST_URI] => /drupal/findwork [SCRIPT_NAME] => /drupal/index.php [PHP_SELF] => /drupal/index.php [REQUEST_TIME] => 1307560464 )

Again the only difference is the the missing AUTH_TYPE=>shibboleth which both directives have.

________________________________
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.