Ok, I would go into your attribute-map.xml file and change the eppn to be shib_eppn.
Here is a example that we use <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id=" > SHIB_EPPN"> > <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> > </Attribute> > <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB_EPPN"> > <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> > </Attribute> > Mike On Mon, Sep 14, 2020 at 4:46 PM Mike Jennings <[email protected]> wrote: > Have you looked for any errors in the shibd.log or the transaction.logs of > the shibboleth service provider. > > Also have you tried to add a php file to dump the data in the vcl > directory that contains > > <?php print_r($_SERVER) ?> > > and what does that print out > > Also can you send me a copy of your attribute-map.xml file > > Mike > > On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <[email protected]> > wrote: > >> Hi Mike, >> >> >> >> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the >> Shibboleth SP appears to be running correctly. I can see eppn, mail and >> displayname (haven’t included affiliation) in the session after >> authenticating. >> >> >> >> I just can’t figure out why the $_SERVER variable does not have any >> Shibboleth data even though the session is established. Because of this, >> the authentication in VCL is not working. >> >> >> >> I have a .htaccess file in /var/www/html/vcl directory with the following: >> >> >> >> Authtype shibboleth >> >> ShibRequireSession off >> >> Require shibboleth >> >> >> >> So when I select the configured SSO option in the VCL login, I get >> redirected to my identity provider and it gets redirected back to the /vcl >> webpage but it doesn’t log in. >> >> >> >> Thanks >> >> >> >> >> >> *From:* Mike Jennings <[email protected]> >> *Sent:* Monday, September 14, 2020 11:17 AM >> *To:* [email protected] >> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO >> Authentication >> *Importance:* Low >> >> >> >> Martinez, >> >> >> >> Sorry I am a little late to the game here. >> >> >> >> It has been a long time since I have worked with a Shibboleth SP. >> >> >> >> I am currently assuming that you have setup the Shibboleth SP on a Apache >> HTTPS server. >> >> >> >> I am assuming that you can do the initial test correctly >> >> >> >> You can test to ensure that the SP is running properly and the >> surrounding environment is correct by accessing >> https://localhost/Shibboleth.sso/Status *from the actual web server >> machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK >> by default. If this test is successful, then the software is ready for >> further configuration. >> >> You can also access the Status handler from other clients or using a >> non-localhost name, but *only* if you change the acl parameter in the >> configuration to permit your client address or remove it entirely to open >> up access to anybody. The ACL is present by default because the Status >> handler can return some arguably sensitive information about your >> configuration. >> >> >> >> >> >> You have the attribute-map.xml configured correctly. You might need to >> contact the Shibboleth IdP Administrator to verify he is releasing >> attributes to your sp and what values need to be modified in that file. >> >> >> >> Thanks, >> >> >> >> Mike Jennings >> >> >> >> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL < >> [email protected]> wrote: >> >> Hi Josh, >> >> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the >> $_SERVER array. There is no other Shibboleth related entry other than the >> shib session string HTTP_COOKIE. >> >> Not sure how to correct this. How can the required entry be made to be >> included in the array? >> >> Thanks >> >> On Sep 11, 2020 5:39 PM, Josh Thompson <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi Ariel, >> >> Toward the top of initGlobals in utils.php, there is a small block of code >> that tests conditions for each authentication method if the user is not >> logged >> in, and if that authentication method's test function returns true, it >> will >> then call that authentication method's authentication function. It's the >> "else" block that starts on line 176 of the 2.5.1 release. >> >> The shibauth.php module uses testShibAuth as the test function. All it >> does >> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it >> will >> not attempt to authenticate the user using Shibboleth. An easy way to >> test >> this is to temporarily put a file in the same directory as the main VCL >> index.php directory that just has this in it: >> >> <?php >> print "<pre>\n"; >> print_r($_SERVER); >> print "</pre>\n"; >> ?> >> >> Don't leave the file in there beyond the testing since it can disclose >> various >> information about your system. >> >> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found >> your >> problem. If your Shibboleth configuration is using something different >> than >> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. >> >> The VCL php code doesn't log anywhere other than where php errors would be >> going. Look in to configuring php errors for httpd to get that set up. >> My >> experience has been that systems generally don't log php errors anywhere >> by >> default. >> >> Josh >> >> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: >> > I have been looking further into the shibauth.php file to see what is >> > supposed to happen when a shibboleth login happens. For starters, it >> > creates an affiliation in the affiliation table if it does not find one >> > from the attributes received from the identity provider. However it >> doesn't >> > seem to be executing that code. It at the very least should have >> generated >> > an error message when trying to automatically create an affiliation if >> it >> > failed. >> > >> > Is there any way to troubleshoot shibauth.php to see what is happening? >> Or >> > is this particular function logged somewhere in particular? >> > >> > Thanks. >> > >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Sunday, August 30, 2020 1:11 PM >> > To: '[email protected]' <[email protected]> >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > I don't know what else to really try because as far as Shibboleth is >> > concerned, it appears to be working. So I went to the >> > /Shibboleth.sso/Session URL after logging in and the following is >> > displayed, I replaced some values that should not be public: >> > >> > Miscellaneous >> > Session Expiration (barring inactivity): 478 minute(s) Client Address: >> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol >> Identity >> > Provider: (idp entity ID) >> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context >> Class: >> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >> > Authentication Context Decl: (none) >> > >> > Attributes >> > affiliation: [email protected] >> > eppn: [email protected];[email protected] >> > upn: [email protected] >> > >> > >> > Unless eppn should not have two values, as far as I can tell, the proper >> > values required by VCL are present. In the VCL database affiliation >> table, >> > I have populated an existing VCL Affiliation that is configured to use >> LDAP >> > with the domain.com value under shibname. I also tried creating a new >> > affiliation setting shibonly to 1 >> > >> > I still get the same behavior where, after selecting the Shibboleth >> > authentication method and signing in at my idp, it gets redirected back >> to >> > the /vcl directory to choose an authentication method. >> > >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Thursday, August 27, 2020 3:00 PM >> > To: '[email protected]' <[email protected]> >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > After login nothing is happening still. So I moved the test.php file >> from >> > the old Shibboleth instructions to my main VCL directory and set the >> > conf.php file to redirect to this file after login and the attributes >> are >> > all undefined. >> > >> > Is this sufficient to say with a high level of certainty that my IDP is >> not >> > sending VCL what it is expecting? Or is the test.php not meant to work >> that >> > way? >> > >> > Thanks >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Wednesday, August 26, 2020 11:14 AM >> > To: [email protected] >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > Hi Josh, >> > >> > Last question before I try again, there is no shibboleth affiliation in >> my >> > VCL database. So should I be creating a new affiliation for shibboleth >> and >> > populating the shibname field, or should I use the existing LDAP >> configured >> > affiliation and populate its shibname field? >> > >> > Thanks >> > >> > -----Original Message----- >> > From: Josh Thompson <[email protected]> >> > Sent: Wednesday, August 26, 2020 11:04 AM >> > To: [email protected] >> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> >> - -- >> - ------------------------------- >> Josh Thompson >> VCL Developer >> North Carolina State University >> >> my GPG/PGP key can be found on pool.sks-keyservers.net >> >> All electronic mail messages in connection with State business which >> are sent to or received by this account are subject to the NC Public >> Records Law and may be disclosed to third parties. >> -----BEGIN PGP SIGNATURE----- >> >> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 >> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= >> =jMJR >> -----END PGP SIGNATURE----- >> >> >>
