I enabled debug logging for shibboleth and I see the required attributes coming
through from my identity provider correctly, as per
/var/log/shibboleth/shibd.log. I think that the issue is with my setup of the
shibboleth authentication for the directories. In the instructions for
Shibboleth auth, it says:
The first step is to configure Apache by protecting the /shibauth directory on
your webserver. If the VCL is installed in the webserver root, the
configuration will look like this:
<Location /shibauth>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
Where should this be going in a default VCL installation on CentOS 7?
Just for the heck of it, I checked the VCL database affiliations table and
there are only 3:
1: Local
2: Global
3: LDAP
Not sure if this is correct. But in the conf.php file the Shibboleth
configuration is set to affiliation ID 0.
Thanks.
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Monday, August 24, 2020 11:53 AM
To: '[email protected]' <[email protected]>
Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
I was able to set up a Shibboleth service provider and on the VCL login page
after selecting my identity provider, I am able to log in there but when it
comes back, I get the error:
Unauthorized
"This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password), or
your browser doesn't understand how to supply the credentials required."
The URL says it was redirected to \shibauth. I tried the instructions in the
documentation to set up the test.php page to see if the attributes are being
passed but that is not working. Is there any other way to determine if the
information from the identity provider is being sent properly to VCL?
Thanks,
-----Original Message-----
From: MARTINEZ, ARIEL
Sent: Tuesday, August 18, 2020 2:08 PM
To: [email protected]
Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
Hi Josh,
I did some more research and I think that in order to get SSO through ADFS,
Shibboleth needs to be set up first since Apache cannot natively authenticate
against ADFS. I found a step by step article that seems to be the answer:
http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hosted-sites-2/
Once that is up, I intend to configure as per
https://vcl.apache.org/docs/shibauth.html and see what happens.
Thanks,
-----Original Message-----
From: Josh Thompson <[email protected]>
Sent: Tuesday, August 18, 2020 1:12 PM
To: [email protected]
Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
VCL doesn't really directly interact with Shibboleth. Apache httpd is
configured to work with Apache, and VCL looks for certain variables set in PHP
by httpd when a user is authenticated with Shibboleth. So, you'll probably
need to work with your httpd configuration to have it interact with ADFS
correctly. I won't be much help there as other staff members have primarily
taken care of that part with our installation.
Josh
On Monday, August 17, 2020 3:00:37 PM EDT MARTINEZ, ARIEL wrote:
> Hi Josh,
>
> Do you know if the VCL Shibboleth configuration generates a metadata
> file? I think that to set up SSO with ADFS, our ADFS will need to send
> the attributes to Shibboleth since that is what VCL will be expecting
> for authentication.
>
> Thanks,
>
> -----Original Message-----
> From: Josh Thompson <[email protected]>
> Sent: Monday, August 17, 2020 1:22 PM
> To: [email protected]
> Subject: [EXTERNAL] Re: ADFS SSO Authentication
>
> WARNING: This email originated outside the Hostos campus. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe. Never provide login credentials, financial or
> sensitive details in response to an email or by clicking on a link. Report
> suspicious emails to:
> [email protected]
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which are sent
to or received by this account are subject to the NC Public Records Law and may
be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCXzwLwwAKCRBX8tBw1209
A3oQAJ98JY8qX90CwaX5ZN5rySw7Nkfe4gCfYrls5PrzltKiomG4xUSQOgEF3KM=
=ShAf
-----END PGP SIGNATURE-----
