Martinez, Sorry I am a little late to the game here.
It has been a long time since I have worked with a Shibboleth SP. I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server. I am assuming that you can do the initial test correctly You can test to ensure that the SP is running properly and the surrounding > environment is correct by accessing > https://localhost/Shibboleth.sso/Status *from the actual web server > machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK > by default. If this test is successful, then the software is ready for > further configuration. > > You can also access the Status handler from other clients or using a > non-localhost name, but *only* if you change the acl parameter in the > configuration to permit your client address or remove it entirely to open > up access to anybody. The ACL is present by default because the Status > handler can return some arguably sensitive information about your > configuration. > > You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file. Thanks, Mike Jennings On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <[email protected]> wrote: > Hi Josh, > > Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the > $_SERVER array. There is no other Shibboleth related entry other than the > shib session string HTTP_COOKIE. > > Not sure how to correct this. How can the required entry be made to be > included in the array? > > Thanks > > On Sep 11, 2020 5:39 PM, Josh Thompson <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Ariel, > > Toward the top of initGlobals in utils.php, there is a small block of code > that tests conditions for each authentication method if the user is not > logged > in, and if that authentication method's test function returns true, it will > then call that authentication method's authentication function. It's the > "else" block that starts on line 176 of the 2.5.1 release. > > The shibauth.php module uses testShibAuth as the test function. All it > does > is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will > not attempt to authenticate the user using Shibboleth. An easy way to test > this is to temporarily put a file in the same directory as the main VCL > index.php directory that just has this in it: > > <?php > print "<pre>\n"; > print_r($_SERVER); > print "</pre>\n"; > ?> > > Don't leave the file in there beyond the testing since it can disclose > various > information about your system. > > If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your > problem. If your Shibboleth configuration is using something different > than > 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. > > The VCL php code doesn't log anywhere other than where php errors would be > going. Look in to configuring php errors for httpd to get that set up. My > experience has been that systems generally don't log php errors anywhere by > default. > > Josh > > On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: > > I have been looking further into the shibauth.php file to see what is > > supposed to happen when a shibboleth login happens. For starters, it > > creates an affiliation in the affiliation table if it does not find one > > from the attributes received from the identity provider. However it > doesn't > > seem to be executing that code. It at the very least should have > generated > > an error message when trying to automatically create an affiliation if it > > failed. > > > > Is there any way to troubleshoot shibauth.php to see what is happening? > Or > > is this particular function logged somewhere in particular? > > > > Thanks. > > > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Sunday, August 30, 2020 1:11 PM > > To: '[email protected]' <[email protected]> > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > I don't know what else to really try because as far as Shibboleth is > > concerned, it appears to be working. So I went to the > > /Shibboleth.sso/Session URL after logging in and the following is > > displayed, I replaced some values that should not be public: > > > > Miscellaneous > > Session Expiration (barring inactivity): 478 minute(s) Client Address: > > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Identity > > Provider: (idp entity ID) > > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context > Class: > > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > Authentication Context Decl: (none) > > > > Attributes > > affiliation: [email protected] > > eppn: [email protected];[email protected] > > upn: [email protected] > > > > > > Unless eppn should not have two values, as far as I can tell, the proper > > values required by VCL are present. In the VCL database affiliation > table, > > I have populated an existing VCL Affiliation that is configured to use > LDAP > > with the domain.com value under shibname. I also tried creating a new > > affiliation setting shibonly to 1 > > > > I still get the same behavior where, after selecting the Shibboleth > > authentication method and signing in at my idp, it gets redirected back > to > > the /vcl directory to choose an authentication method. > > > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Thursday, August 27, 2020 3:00 PM > > To: '[email protected]' <[email protected]> > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > After login nothing is happening still. So I moved the test.php file from > > the old Shibboleth instructions to my main VCL directory and set the > > conf.php file to redirect to this file after login and the attributes are > > all undefined. > > > > Is this sufficient to say with a high level of certainty that my IDP is > not > > sending VCL what it is expecting? Or is the test.php not meant to work > that > > way? > > > > Thanks > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Wednesday, August 26, 2020 11:14 AM > > To: [email protected] > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > Hi Josh, > > > > Last question before I try again, there is no shibboleth affiliation in > my > > VCL database. So should I be creating a new affiliation for shibboleth > and > > populating the shibname field, or should I use the existing LDAP > configured > > affiliation and populate its shibname field? > > > > Thanks > > > > -----Original Message----- > > From: Josh Thompson <[email protected]> > > Sent: Wednesday, August 26, 2020 11:04 AM > > To: [email protected] > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found on pool.sks-keyservers.net > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > > iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 > A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= > =jMJR > -----END PGP SIGNATURE----- > > > >
