-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel,
Toward the top of initGlobals in utils.php, there is a small block of code that tests conditions for each authentication method if the user is not logged in, and if that authentication method's test function returns true, it will then call that authentication method's authentication function. It's the "else" block that starts on line 176 of the 2.5.1 release. The shibauth.php module uses testShibAuth as the test function. All it does is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will not attempt to authenticate the user using Shibboleth. An easy way to test this is to temporarily put a file in the same directory as the main VCL index.php directory that just has this in it: <?php print "<pre>\n"; print_r($_SERVER); print "</pre>\n"; ?> Don't leave the file in there beyond the testing since it can disclose various information about your system. If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your problem. If your Shibboleth configuration is using something different than 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. The VCL php code doesn't log anywhere other than where php errors would be going. Look in to configuring php errors for httpd to get that set up. My experience has been that systems generally don't log php errors anywhere by default. Josh On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: > I have been looking further into the shibauth.php file to see what is > supposed to happen when a shibboleth login happens. For starters, it > creates an affiliation in the affiliation table if it does not find one > from the attributes received from the identity provider. However it doesn't > seem to be executing that code. It at the very least should have generated > an error message when trying to automatically create an affiliation if it > failed. > > Is there any way to troubleshoot shibauth.php to see what is happening? Or > is this particular function logged somewhere in particular? > > Thanks. > > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Sunday, August 30, 2020 1:11 PM > To: '[email protected]' <[email protected]> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > I don't know what else to really try because as far as Shibboleth is > concerned, it appears to be working. So I went to the > /Shibboleth.sso/Session URL after logging in and the following is > displayed, I replaced some values that should not be public: > > Miscellaneous > Session Expiration (barring inactivity): 478 minute(s) Client Address: > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity > Provider: (idp entity ID) > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Authentication Context Decl: (none) > > Attributes > affiliation: [email protected] > eppn: [email protected];[email protected] > upn: [email protected] > > > Unless eppn should not have two values, as far as I can tell, the proper > values required by VCL are present. In the VCL database affiliation table, > I have populated an existing VCL Affiliation that is configured to use LDAP > with the domain.com value under shibname. I also tried creating a new > affiliation setting shibonly to 1 > > I still get the same behavior where, after selecting the Shibboleth > authentication method and signing in at my idp, it gets redirected back to > the /vcl directory to choose an authentication method. > > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Thursday, August 27, 2020 3:00 PM > To: '[email protected]' <[email protected]> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > After login nothing is happening still. So I moved the test.php file from > the old Shibboleth instructions to my main VCL directory and set the > conf.php file to redirect to this file after login and the attributes are > all undefined. > > Is this sufficient to say with a high level of certainty that my IDP is not > sending VCL what it is expecting? Or is the test.php not meant to work that > way? > > Thanks > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Wednesday, August 26, 2020 11:14 AM > To: [email protected] > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > Hi Josh, > > Last question before I try again, there is no shibboleth affiliation in my > VCL database. So should I be creating a new affiliation for shibboleth and > populating the shibname field, or should I use the existing LDAP configured > affiliation and populate its shibname field? > > Thanks > > -----Original Message----- > From: Josh Thompson <[email protected]> > Sent: Wednesday, August 26, 2020 11:04 AM > To: [email protected] > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= =jMJR -----END PGP SIGNATURE-----
