Can you tell me what your RequestMap section looks like in your shibboleth2.xml file
On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <[email protected]> wrote: > Nope you should not.... > > Are you running a shibboleth idp or a adfs > > Mike > > On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <[email protected]> > wrote: > >> Tried that, but same result. >> >> >> >> In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be >> changed to SHIB_EPPN as well? >> >> >> >> Thanks >> >> >> >> *From:* Mike Jennings <[email protected]> >> *Sent:* Monday, September 14, 2020 5:14 PM >> *To:* [email protected] >> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO >> Authentication >> *Importance:* Low >> >> >> >> try setting ShibRequireSession On >> >> >> >> Mike >> >> >> >> On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL < >> [email protected]> wrote: >> >> I made the change but it still doesn’t show up in $_SERVER. >> Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after >> updating the attribute map xml >> >> >> >> Thanks >> >> >> >> >> >> *From:* Mike Jennings <[email protected]> >> *Sent:* Monday, September 14, 2020 5:02 PM >> *To:* [email protected] >> *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO >> Authentication >> *Importance:* Low >> >> >> >> Yes, after checking the attribute-map.xml file that you sent me, change >> the eppn lines to SHIB_EPPN and then reboot the shibd process.... >> >> >> >> This should pick up the changes in the attribute map and make things work. >> >> >> >> Mike >> >> >> >> On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL < >> [email protected]> wrote: >> >> Yes, I looked through the shibd.log initially and it looked normal no >> errors that would give a clue to what is happening. I have a test.php file >> in the vcl directory and it prints out many variables except for anything >> related to Shibboleth. I've attached the attribute-map.xml file. >> >> >> Thanks >> >> ________________________________ >> From: Mike Jennings <[email protected]> >> Sent: Monday, September 14, 2020 4:46 PM >> To: [email protected] >> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> >> Have you looked for any errors in the shibd.log or the transaction.logs >> of the shibboleth service provider. >> >> Also have you tried to add a php file to dump the data in the vcl >> directory that contains >> >> <?php print_r($_SERVER) ?> >> >> and what does that print out >> >> Also can you send me a copy of your attribute-map.xml file >> >> Mike >> >> On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL < >> [email protected]<mailto:[email protected]>> wrote: >> Hi Mike, >> >> Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the >> Shibboleth SP appears to be running correctly. I can see eppn, mail and >> displayname (haven’t included affiliation) in the session after >> authenticating. >> >> I just can’t figure out why the $_SERVER variable does not have any >> Shibboleth data even though the session is established. Because of this, >> the authentication in VCL is not working. >> >> I have a .htaccess file in /var/www/html/vcl directory with the following: >> >> Authtype shibboleth >> ShibRequireSession off >> Require shibboleth >> >> So when I select the configured SSO option in the VCL login, I get >> redirected to my identity provider and it gets redirected back to the /vcl >> webpage but it doesn’t log in. >> >> Thanks >> >> >> From: Mike Jennings <[email protected]<mailto:[email protected]>> >> Sent: Monday, September 14, 2020 11:17 AM >> To: [email protected]<mailto:[email protected]> >> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> Importance: Low >> >> Martinez, >> >> Sorry I am a little late to the game here. >> >> It has been a long time since I have worked with a Shibboleth SP. >> >> I am currently assuming that you have setup the Shibboleth SP on a Apache >> HTTPS server. >> >> I am assuming that you can do the initial test correctly >> >> >> You can test to ensure that the SP is running properly and the >> surrounding environment is correct by accessing >> https://localhost/Shibboleth.sso/Status from the actual web server >> machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by >> default. If this test is successful, then the software is ready for further >> configuration. >> >> You can also access the Status handler from other clients or using a >> non-localhost name, but only if you change the acl parameter in the >> configuration to permit your client address or remove it entirely to open >> up access to anybody. The ACL is present by default because the Status >> handler can return some arguably sensitive information about your >> configuration. >> >> >> You have the attribute-map.xml configured correctly. You might need to >> contact the Shibboleth IdP Administrator to verify he is releasing >> attributes to your sp and what values need to be modified in that file. >> >> Thanks, >> >> Mike Jennings >> >> On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL < >> [email protected]<mailto:[email protected]>> wrote: >> Hi Josh, >> >> Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the >> $_SERVER array. There is no other Shibboleth related entry other than the >> shib session string HTTP_COOKIE. >> >> Not sure how to correct this. How can the required entry be made to be >> included in the array? >> >> Thanks >> >> On Sep 11, 2020 5:39 PM, Josh Thompson <[email protected]<mailto: >> [email protected]>> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi Ariel, >> >> Toward the top of initGlobals in utils.php, there is a small block of code >> that tests conditions for each authentication method if the user is not >> logged >> in, and if that authentication method's test function returns true, it >> will >> then call that authentication method's authentication function. It's the >> "else" block that starts on line 176 of the 2.5.1 release. >> >> The shibauth.php module uses testShibAuth as the test function. All it >> does >> is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it >> will >> not attempt to authenticate the user using Shibboleth. An easy way to >> test >> this is to temporarily put a file in the same directory as the main VCL >> index.php directory that just has this in it: >> >> <?php >> print "<pre>\n"; >> print_r($_SERVER); >> print "</pre>\n"; >> ?> >> >> Don't leave the file in there beyond the testing since it can disclose >> various >> information about your system. >> >> If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found >> your >> problem. If your Shibboleth configuration is using something different >> than >> 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. >> >> The VCL php code doesn't log anywhere other than where php errors would be >> going. Look in to configuring php errors for httpd to get that set up. >> My >> experience has been that systems generally don't log php errors anywhere >> by >> default. >> >> Josh >> >> On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: >> > I have been looking further into the shibauth.php file to see what is >> > supposed to happen when a shibboleth login happens. For starters, it >> > creates an affiliation in the affiliation table if it does not find one >> > from the attributes received from the identity provider. However it >> doesn't >> > seem to be executing that code. It at the very least should have >> generated >> > an error message when trying to automatically create an affiliation if >> it >> > failed. >> > >> > Is there any way to troubleshoot shibauth.php to see what is happening? >> Or >> > is this particular function logged somewhere in particular? >> > >> > Thanks. >> > >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Sunday, August 30, 2020 1:11 PM >> > To: '[email protected]<mailto:[email protected]>' < >> [email protected]<mailto:[email protected]>> >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > I don't know what else to really try because as far as Shibboleth is >> > concerned, it appears to be working. So I went to the >> > /Shibboleth.sso/Session URL after logging in and the following is >> > displayed, I replaced some values that should not be public: >> > >> > Miscellaneous >> > Session Expiration (barring inactivity): 478 minute(s) Client Address: >> > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol >> Identity >> > Provider: (idp entity ID) >> > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context >> Class: >> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >> > Authentication Context Decl: (none) >> > >> > Attributes >> > affiliation: [email protected]<mailto:[email protected]> >> > eppn: [email protected]<mailto:[email protected]>;[email protected]<mailto: >> [email protected]> >> > upn: [email protected]<mailto:[email protected]> >> > >> > >> > Unless eppn should not have two values, as far as I can tell, the proper >> > values required by VCL are present. In the VCL database affiliation >> table, >> > I have populated an existing VCL Affiliation that is configured to use >> LDAP >> > with the domain.com<http://domain.com> value under shibname. I also >> tried creating a new >> > affiliation setting shibonly to 1 >> > >> > I still get the same behavior where, after selecting the Shibboleth >> > authentication method and signing in at my idp, it gets redirected back >> to >> > the /vcl directory to choose an authentication method. >> > >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Thursday, August 27, 2020 3:00 PM >> > To: '[email protected]<mailto:[email protected]>' < >> [email protected]<mailto:[email protected]>> >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > After login nothing is happening still. So I moved the test.php file >> from >> > the old Shibboleth instructions to my main VCL directory and set the >> > conf.php file to redirect to this file after login and the attributes >> are >> > all undefined. >> > >> > Is this sufficient to say with a high level of certainty that my IDP is >> not >> > sending VCL what it is expecting? Or is the test.php not meant to work >> that >> > way? >> > >> > Thanks >> > >> > -----Original Message----- >> > From: MARTINEZ, ARIEL >> > Sent: Wednesday, August 26, 2020 11:14 AM >> > To: [email protected]<mailto:[email protected]> >> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> > >> > Hi Josh, >> > >> > Last question before I try again, there is no shibboleth affiliation in >> my >> > VCL database. So should I be creating a new affiliation for shibboleth >> and >> > populating the shibname field, or should I use the existing LDAP >> configured >> > affiliation and populate its shibname field? >> > >> > Thanks >> > >> > -----Original Message----- >> > From: Josh Thompson <[email protected]<mailto: >> [email protected]>> >> > Sent: Wednesday, August 26, 2020 11:04 AM >> > To: [email protected]<mailto:[email protected]> >> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication >> >> - -- >> - ------------------------------- >> Josh Thompson >> VCL Developer >> North Carolina State University >> >> my GPG/PGP key can be found on pool.sks-keyservers.net< >> http://pool.sks-keyservers.net> >> >> All electronic mail messages in connection with State business which >> are sent to or received by this account are subject to the NC Public >> Records Law and may be disclosed to third parties. >> -----BEGIN PGP SIGNATURE----- >> >> iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 >> A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= >> =jMJR >> -----END PGP SIGNATURE----- >> >>
