I have been looking further into the shibauth.php file to see what is supposed to happen when a shibboleth login happens. For starters, it creates an affiliation in the affiliation table if it does not find one from the attributes received from the identity provider. However it doesn't seem to be executing that code. It at the very least should have generated an error message when trying to automatically create an affiliation if it failed.
Is there any way to troubleshoot shibauth.php to see what is happening? Or is this particular function logged somewhere in particular? Thanks. -----Original Message----- From: MARTINEZ, ARIEL Sent: Sunday, August 30, 2020 1:11 PM To: '[email protected]' <[email protected]> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication I don't know what else to really try because as far as Shibboleth is concerned, it appears to be working. So I went to the /Shibboleth.sso/Session URL after logging in and the following is displayed, I replaced some values that should not be public: Miscellaneous Session Expiration (barring inactivity): 478 minute(s) Client Address: (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity Provider: (idp entity ID) Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes affiliation: [email protected] eppn: [email protected];[email protected] upn: [email protected] Unless eppn should not have two values, as far as I can tell, the proper values required by VCL are present. In the VCL database affiliation table, I have populated an existing VCL Affiliation that is configured to use LDAP with the domain.com value under shibname. I also tried creating a new affiliation setting shibonly to 1 I still get the same behavior where, after selecting the Shibboleth authentication method and signing in at my idp, it gets redirected back to the /vcl directory to choose an authentication method. -----Original Message----- From: MARTINEZ, ARIEL Sent: Thursday, August 27, 2020 3:00 PM To: '[email protected]' <[email protected]> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication After login nothing is happening still. So I moved the test.php file from the old Shibboleth instructions to my main VCL directory and set the conf.php file to redirect to this file after login and the attributes are all undefined. Is this sufficient to say with a high level of certainty that my IDP is not sending VCL what it is expecting? Or is the test.php not meant to work that way? Thanks -----Original Message----- From: MARTINEZ, ARIEL Sent: Wednesday, August 26, 2020 11:14 AM To: [email protected] Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication Hi Josh, Last question before I try again, there is no shibboleth affiliation in my VCL database. So should I be creating a new affiliation for shibboleth and populating the shibname field, or should I use the existing LDAP configured affiliation and populate its shibname field? Thanks -----Original Message----- From: Josh Thompson <[email protected]> Sent: Wednesday, August 26, 2020 11:04 AM To: [email protected] Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel, Responses inline. On Wednesday, August 26, 2020 7:57:08 AM EDT MARTINEZ, ARIEL wrote: > Hi Josh, > > Thanks for this. I made the changes and there is no more unauthorized > error message on the page. But after logging into the identity > provider, when it gets redirected back to the main VCL directory, it > did not login. Selecting the shibboleth affiliation just keeps > redirecting back to that login selection page. > > But I think I am very close now to getting it to work. > > So from the eppn attribute, it will use whatever is after the @ to > find a matching affiliation in VCL and it should log the user into that? > > I looked in the VCL database for the affiliation table and no > affiliation has the shibname defined. > > Should I manually enter whatever is after the @ from eppn into the > shibname field value? Yes, you'll need to manually update that field in the database. Sorry, I didn't think to mention that before. > When I set up the LDAP login for that affiliation, it is using the > samaccountname from LDAP, whatever is to the left of the @. I think I > may also need to change this to use the LDAP user principal name which > will have the full user@domain format which should match eppn. LDAP authentication works differently. You'll want to leave it using samaccountname. I don't think it will work correctly using the full user@domain format for LDAP. Josh > Thanks. > > On Aug 25, 2020 6:13 PM, Josh Thompson <[email protected]> wrote: - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX0Z5ywAKCRBX8tBw1209 A8pYAJ9exuYNo24mTyehlhp7P8KiV9eQgACdFvhpQWR69xQRSbc5PPeRmAyw2Pw= =bPJ2 -----END PGP SIGNATURE-----
