I was able to set up a Shibboleth service provider and on the VCL login page after selecting my identity provider, I am able to log in there but when it comes back, I get the error:
Unauthorized "This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required." The URL says it was redirected to \shibauth. I tried the instructions in the documentation to set up the test.php page to see if the attributes are being passed but that is not working. Is there any other way to determine if the information from the identity provider is being sent properly to VCL? Thanks, -----Original Message----- From: MARTINEZ, ARIEL Sent: Tuesday, August 18, 2020 2:08 PM To: [email protected] Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication Hi Josh, I did some more research and I think that in order to get SSO through ADFS, Shibboleth needs to be set up first since Apache cannot natively authenticate against ADFS. I found a step by step article that seems to be the answer: http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hosted-sites-2/ Once that is up, I intend to configure as per https://vcl.apache.org/docs/shibauth.html and see what happens. Thanks, -----Original Message----- From: Josh Thompson <[email protected]> Sent: Tuesday, August 18, 2020 1:12 PM To: [email protected] Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel, VCL doesn't really directly interact with Shibboleth. Apache httpd is configured to work with Apache, and VCL looks for certain variables set in PHP by httpd when a user is authenticated with Shibboleth. So, you'll probably need to work with your httpd configuration to have it interact with ADFS correctly. I won't be much help there as other staff members have primarily taken care of that part with our installation. Josh On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote: > Hi Josh, > > Do you know if the VCL Shibboleth configuration generates a metadata > file? I think that to set up SSO with ADFS, our ADFS will need to send > the attributes to Shibboleth since that is what VCL will be expecting > for authentication. > > Thanks, > > -----Original Message----- > From: Josh Thompson <[email protected]> > Sent: Monday, August 17, 2020 1:22 PM > To: [email protected] > Subject: [EXTERNAL] Re: ADFS SSO Authentication > > WARNING: This email originated outside the Hostos campus. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. Never provide login credentials, financial or > sensitive details in response to an email or by clicking on a link. Report > suspicious emails to: > [email protected] - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209 A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM= =ShAf -----END PGP SIGNATURE-----
