Yes, I looked through the shibd.log initially and it looked normal no errors that would give a clue to what is happening. I have a test.php file in the vcl directory and it prints out many variables except for anything related to Shibboleth. I've attached the attribute-map.xml file.
Thanks ________________________________ From: Mike Jennings <[email protected]> Sent: Monday, September 14, 2020 4:46 PM To: [email protected] Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider. Also have you tried to add a php file to dump the data in the vcl directory that contains <?php print_r($_SERVER) ?> and what does that print out Also can you send me a copy of your attribute-map.xml file Mike On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <[email protected]<mailto:[email protected]>> wrote: Hi Mike, Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the Shibboleth SP appears to be running correctly. I can see eppn, mail and displayname (haven’t included affiliation) in the session after authenticating. I just can’t figure out why the $_SERVER variable does not have any Shibboleth data even though the session is established. Because of this, the authentication in VCL is not working. I have a .htaccess file in /var/www/html/vcl directory with the following: Authtype shibboleth ShibRequireSession off Require shibboleth So when I select the configured SSO option in the VCL login, I get redirected to my identity provider and it gets redirected back to the /vcl webpage but it doesn’t log in. Thanks From: Mike Jennings <[email protected]<mailto:[email protected]>> Sent: Monday, September 14, 2020 11:17 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication Importance: Low Martinez, Sorry I am a little late to the game here. It has been a long time since I have worked with a Shibboleth SP. I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS server. I am assuming that you can do the initial test correctly You can test to ensure that the SP is running properly and the surrounding environment is correct by accessing https://localhost/Shibboleth.sso/Status from the actual web server machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by default. If this test is successful, then the software is ready for further configuration. You can also access the Status handler from other clients or using a non-localhost name, but only if you change the acl parameter in the configuration to permit your client address or remove it entirely to open up access to anybody. The ACL is present by default because the Status handler can return some arguably sensitive information about your configuration. You have the attribute-map.xml configured correctly. You might need to contact the Shibboleth IdP Administrator to verify he is releasing attributes to your sp and what values need to be modified in that file. Thanks, Mike Jennings On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <[email protected]<mailto:[email protected]>> wrote: Hi Josh, Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the $_SERVER array. There is no other Shibboleth related entry other than the shib session string HTTP_COOKIE. Not sure how to correct this. How can the required entry be made to be included in the array? Thanks On Sep 11, 2020 5:39 PM, Josh Thompson <[email protected]<mailto:[email protected]>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel, Toward the top of initGlobals in utils.php, there is a small block of code that tests conditions for each authentication method if the user is not logged in, and if that authentication method's test function returns true, it will then call that authentication method's authentication function. It's the "else" block that starts on line 176 of the 2.5.1 release. The shibauth.php module uses testShibAuth as the test function. All it does is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will not attempt to authenticate the user using Shibboleth. An easy way to test this is to temporarily put a file in the same directory as the main VCL index.php directory that just has this in it: <?php print "<pre>\n"; print_r($_SERVER); print "</pre>\n"; ?> Don't leave the file in there beyond the testing since it can disclose various information about your system. If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your problem. If your Shibboleth configuration is using something different than 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. The VCL php code doesn't log anywhere other than where php errors would be going. Look in to configuring php errors for httpd to get that set up. My experience has been that systems generally don't log php errors anywhere by default. Josh On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: > I have been looking further into the shibauth.php file to see what is > supposed to happen when a shibboleth login happens. For starters, it > creates an affiliation in the affiliation table if it does not find one > from the attributes received from the identity provider. However it doesn't > seem to be executing that code. It at the very least should have generated > an error message when trying to automatically create an affiliation if it > failed. > > Is there any way to troubleshoot shibauth.php to see what is happening? Or > is this particular function logged somewhere in particular? > > Thanks. > > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Sunday, August 30, 2020 1:11 PM > To: '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > I don't know what else to really try because as far as Shibboleth is > concerned, it appears to be working. So I went to the > /Shibboleth.sso/Session URL after logging in and the following is > displayed, I replaced some values that should not be public: > > Miscellaneous > Session Expiration (barring inactivity): 478 minute(s) Client Address: > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity > Provider: (idp entity ID) > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Authentication Context Decl: (none) > > Attributes > affiliation: [email protected]<mailto:[email protected]> > eppn: > [email protected]<mailto:[email protected]>;[email protected]<mailto:[email protected]> > upn: [email protected]<mailto:[email protected]> > > > Unless eppn should not have two values, as far as I can tell, the proper > values required by VCL are present. In the VCL database affiliation table, > I have populated an existing VCL Affiliation that is configured to use LDAP > with the domain.com<http://domain.com> value under shibname. I also tried > creating a new > affiliation setting shibonly to 1 > > I still get the same behavior where, after selecting the Shibboleth > authentication method and signing in at my idp, it gets redirected back to > the /vcl directory to choose an authentication method. > > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Thursday, August 27, 2020 3:00 PM > To: '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > After login nothing is happening still. So I moved the test.php file from > the old Shibboleth instructions to my main VCL directory and set the > conf.php file to redirect to this file after login and the attributes are > all undefined. > > Is this sufficient to say with a high level of certainty that my IDP is not > sending VCL what it is expecting? Or is the test.php not meant to work that > way? > > Thanks > > -----Original Message----- > From: MARTINEZ, ARIEL > Sent: Wednesday, August 26, 2020 11:14 AM > To: [email protected]<mailto:[email protected]> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > Hi Josh, > > Last question before I try again, there is no shibboleth affiliation in my > VCL database. So should I be creating a new affiliation for shibboleth and > populating the shibname field, or should I use the existing LDAP configured > affiliation and populate its shibname field? > > Thanks > > -----Original Message----- > From: Josh Thompson <[email protected]<mailto:[email protected]>> > Sent: Wednesday, August 26, 2020 11:04 AM > To: [email protected]<mailto:[email protected]> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net<http://pool.sks-keyservers.net> All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= =jMJR -----END PGP SIGNATURE-----
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <!-- The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a few exceptions for newer attributes where the name is the same for both versions. You will usually want to uncomment or map the names for both SAML versions as a unit. --> <!-- New standard identifier attributes for SAML. --> <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <!-- The most typical eduPerson attributes. --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/> <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/> <!-- Legacy pairwise identifier attribute / NameID format, intended to be replaced by the simpler pairwise-id attribute (see top of file). --> <!-- The eduPerson attribute version (note the OID-style name): --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> </Attribute> <!-- The SAML 2.0 NameID Format: --> <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id"> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> </Attribute> <!--Added these two for mail and displayname --> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... --> <!-- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/> <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/> <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/> <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/> <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/> --> <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... --> <!-- <Attribute name="urn:oid:2.5.4.3" id="cn"/> <Attribute name="urn:oid:2.5.4.4" id="sn"/> <Attribute name="urn:oid:2.5.4.42" id="givenName"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/> <Attribute name="urn:oid:2.5.4.12" id="title"/> <Attribute name="urn:oid:2.5.4.43" id="initials"/> <Attribute name="urn:oid:2.5.4.13" id="description"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/> <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/> <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/> <Attribute name="urn:oid:2.5.4.9" id="street"/> <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/> <Attribute name="urn:oid:2.5.4.17" id="postalCode"/> <Attribute name="urn:oid:2.5.4.8" id="st"/> <Attribute name="urn:oid:2.5.4.7" id="l"/> <Attribute name="urn:oid:2.5.4.10" id="o"/> <Attribute name="urn:oid:2.5.4.11" id="ou"/> <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/> <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/> <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/> <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/> <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/> <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/> <Attribute name="urn:mace:dir:attribute-def:title" id="title"/> <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/> <Attribute name="urn:mace:dir:attribute-def:description" id="description"/> <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/> <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/> <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/> <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/> <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/> <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/> <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/> <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/> <Attribute name="urn:mace:dir:attribute-def:street" id="street"/> <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/> <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/> <Attribute name="urn:mace:dir:attribute-def:st" id="st"/> <Attribute name="urn:mace:dir:attribute-def:l" id="l"/> <Attribute name="urn:mace:dir:attribute-def:o" id="o"/> <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/> <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/> <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/> --> <!-- SCHAC attributes... --> <!-- <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> --> <!-- <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"; nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="upn" /> --> </Attributes>
