-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ariel,
I'm always a little fuzzy on Shibboleth stuff but this is the best I can
remember.
I think at some point since that documentation page was written, the /shibauth
directory became unnecessary. Now, you need to create .htaccess in the main
vcl directory (where index.php and .ht-inc are) with the following content:
AuthType shibboleth
ShibRequireSession Off
require shibboleth
This will cause httpd to pass Shibboleth data to VCL if the user is
authenticated to Shibboleth but not require them to be. If they are not
authenticated, they should be given the screen for selecting the
authentication method to use.
In .ht-inc/conf.php, you'll need to create an entry in $authMechs for logging
in with Shibboleth and craft a URL that will direct the user to an IdP with
the right information for being sent back after logging in. For example, we
have the following entry:
"NCSU Login" => array("type" => "redirect",
"URL" => "https://vcl.ncsu.edu/Shibboleth.sso/Login?
target=https://vcl.ncsu.edu/scheduling/&entityID=https://shib.ncsu.edu/idp/
shibboleth",
"affiliationid" => 0,
"help" => "Use NCSU Login if you are an NCSU user")
VCL then determines the affiliation of the user by matching the part of their
eppn after the @ to affiliation.shibname in the database.
You'll probably want to change the name for affiliation #3 to something other
than LDAP. The affiliation isn't how users are authenticated but who they are
associated with. A single installation of VCL can service multiple
institutions. We work with a number of other universities. Each university
has its own affiliation. However, some of them are part of the same
Shibboleth federation. So, they use the same authentication method.
Josh
On Tuesday, August 25, 2020 1:33:18 PM EDT MARTINEZ, ARIEL wrote:
> I enabled debug logging for shibboleth and I see the required attributes
> coming through from my identity provider correctly, as per
> /var/log/shibboleth/shibd.log. I think that the issue is with my setup of
> the shibboleth authentication for the directories. In the instructions for
> Shibboleth auth, it says:
>
> The first step is to configure Apache by protecting the /shibauth directory
> on your webserver. If the VCL is installed in the webserver root, the
> configuration will look like this:
>
> <Location /shibauth>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> require valid-user
> </Location>
>
> Where should this be going in a default VCL installation on CentOS 7?
>
>
> Just for the heck of it, I checked the VCL database affiliations table and
> there are only 3:
>
> 1: Local
> 2: Global
> 3: LDAP
>
> Not sure if this is correct. But in the conf.php file the Shibboleth
> configuration is set to affiliation ID 0.
>
> Thanks.
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Monday, August 24, 2020 11:53 AM
> To: '[email protected]' <[email protected]>
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> I was able to set up a Shibboleth service provider and on the VCL login page
> after selecting my identity provider, I am able to log in there but when it
> comes back, I get the error:
>
> Unauthorized
> "This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required."
>
> The URL says it was redirected to \shibauth. I tried the instructions in the
> documentation to set up the test.php page to see if the attributes are
> being passed but that is not working. Is there any other way to determine
> if the information from the identity provider is being sent properly to
> VCL?
>
> Thanks,
>
> -----Original Message-----
> From: MARTINEZ, ARIEL
> Sent: Tuesday, August 18, 2020 2:08 PM
> To: [email protected]
> Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication
>
> Hi Josh,
>
> I did some more research and I think that in order to get SSO through ADFS,
> Shibboleth needs to be set up first since Apache cannot natively
> authenticate against ADFS. I found a step by step article that seems to be
> the answer:
> http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hos
> ted-sites-2/ Once that is up, I intend to configure as per
> https://vcl.apache.org/docs/shibauth.html and see what happens.
>
> Thanks,
>
>
> -----Original Message-----
> From: Josh Thompson <[email protected]>
> Sent: Tuesday, August 18, 2020 1:12 PM
> To: [email protected]
> Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found on pool.sks-keyservers.net
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0WNCQAKCRBX8tBw1209
A8fzAJ9Wnrkw3rNX6EbjT7W/RCYbbQgLtwCfdLwdT6RoLLYVPTMEU7bJyEo+9Do=
=VRhm
-----END PGP SIGNATURE-----
