Hi Josh, Thanks for this. I made the changes and there is no more unauthorized error message on the page. But after logging into the identity provider, when it gets redirected back to the main VCL directory, it did not login. Selecting the shibboleth affiliation just keeps redirecting back to that login selection page.
But I think I am very close now to getting it to work. So from the eppn attribute, it will use whatever is after the @ to find a matching affiliation in VCL and it should log the user into that? I looked in the VCL database for the affiliation table and no affiliation has the shibname defined. Should I manually enter whatever is after the @ from eppn into the shibname field value? When I set up the LDAP login for that affiliation, it is using the samaccountname from LDAP, whatever is to the left of the @. I think I may also need to change this to use the LDAP user principal name which will have the full user@domain format which should match eppn. Thanks. On Aug 25, 2020 6:13 PM, Josh Thompson <[email protected]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel, I'm always a little fuzzy on Shibboleth stuff but this is the best I can remember. I think at some point since that documentation page was written, the /shibauth directory became unnecessary. Now, you need to create .htaccess in the main vcl directory (where index.php and .ht-inc are) with the following content: AuthType shibboleth ShibRequireSession Off require shibboleth This will cause httpd to pass Shibboleth data to VCL if the user is authenticated to Shibboleth but not require them to be. If they are not authenticated, they should be given the screen for selecting the authentication method to use. In .ht-inc/conf.php, you'll need to create an entry in $authMechs for logging in with Shibboleth and craft a URL that will direct the user to an IdP with the right information for being sent back after logging in. For example, we have the following entry: "NCSU Login" => array("type" => "redirect", "URL" => "https://vcl.ncsu.edu/Shibboleth.sso/Login? target=https://vcl.ncsu.edu/scheduling/&entityID=https://shib.ncsu.edu/idp/ shibboleth", "affiliationid" => 0, "help" => "Use NCSU Login if you are an NCSU user") VCL then determines the affiliation of the user by matching the part of their eppn after the @ to affiliation.shibname in the database. You'll probably want to change the name for affiliation #3 to something other than LDAP. The affiliation isn't how users are authenticated but who they are associated with. A single installation of VCL can service multiple institutions. We work with a number of other universities. Each university has its own affiliation. However, some of them are part of the same Shibboleth federation. So, they use the same authentication method. Josh On Tuesday, August 25, 2020 1:33:18 PM EDT MARTINEZ, ARIEL wrote: > I enabled debug logging for shibboleth and I see the required attributes > coming through from my identity provider correctly, as per > /var/log/shibboleth/shibd.log. I think that the issue is with my setup of > the shibboleth authentication for the directories. In the instructions for > Shibboleth auth, it says: > > The first step is to configure Apache by protecting the /shibauth directory > on your webserver. If the VCL is installed in the webserver root, the > configuration will look like this: > > <Location /shibauth> > AuthType shibboleth > ShibRequestSetting requireSession 1 > require valid-user > </Location> > > Where should this be going in a default VCL installation on CentOS 7? > > > Just for the heck of it, I checked the VCL database affiliations table and > there are only 3: > > 1: Local > 2: Global > 3: LDAP > > Not sure if this is correct. But in the conf.php file the Shibboleth > configuration is set to affiliation ID 0. > > Thanks. > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Monday, August 24, 2020 11:53 AM > To: '[email protected]' <[email protected]> > Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication > > I was able to set up a Shibboleth service provider and on the VCL login page > after selecting my identity provider, I am able to log in there but when it > comes back, I get the error: > > Unauthorized > "This server could not verify that you are authorized to access the document > requested. Either you supplied the wrong credentials (e.g., bad password), > or your browser doesn't understand how to supply the credentials required." > > The URL says it was redirected to \shibauth. I tried the instructions in the > documentation to set up the test.php page to see if the attributes are > being passed but that is not working. Is there any other way to determine > if the information from the identity provider is being sent properly to > VCL? > > Thanks, > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Tuesday, August 18, 2020 2:08 PM > To: [email protected] > Subject: RE: [EXTERNAL] Re: ADFS SSO Authentication > > Hi Josh, > > I did some more research and I think that in order to get SSO through ADFS, > Shibboleth needs to be set up first since Apache cannot natively > authenticate against ADFS. I found a step by step article that seems to be > the answer: > http://www.jbmurphy.com/2016/08/31/using-adfs-for-authenticating-apache-hos > ted-sites-2/ Once that is up, I intend to configure as per > https://vcl.apache.org/docs/shibauth.html and see what happens. > > Thanks, > > > -----Original Message----- > From: Josh Thompson <[email protected]> > Sent: Tuesday, August 18, 2020 1:12 PM > To: [email protected] > Subject: Re: [EXTERNAL] Re: ADFS SSO Authentication - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0WNCQAKCRBX8tBw1209 A8fzAJ9Wnrkw3rNX6EbjT7W/RCYbbQgLtwCfdLwdT6RoLLYVPTMEU7bJyEo+9Do= =VRhm -----END PGP SIGNATURE-----
