You will need to go into your attribute map and change affiliation to shib_affiliation like you did for shib_eppn. This should make the attributes map correctly.
Mike On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL <[email protected]> wrote: > I have more troubleshooting information that may help. In shib.conf, I > created a location block as follows: > > > <Location /vcl> > AuthType shibboleth > ShibRequestSetting requireSession false > require shibboleth > </Location> > > > Doing so allows me to log into VCL, but when I click on any of the menu > items I get a VCL error page: " An error has occured. If this problem > persists, please email [email protected] for further assistance. > Please include the steps you took that led up to this problem in your email > message." > > > > In the ssl_error_log inside of /var/log/httpd I see the following, which > the first error is "undefined index: SHIB_AFFILIATION". I checked the > affiliation database and it did create an entry on its own. > > > > > [Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client > 10.32.14.218:56400] PHP Notice: Undefined index: SHIB_AFFILIATION in > /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180, > referer: https://login.hostos.cuny.edu/ > [Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client > 10.32.14.218:56406] PHP Notice: Undefined offset: 5 in > /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: > https://vcl.hostos.cuny.edu/vcl/ > [Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client > 10.32.14.218:56406] You have an error in your SQL syntax; check the > manual that corresponds to your MariaDB server version for the right syntax > to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = \nERROR(101): > General MySQL error\nMode was > viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => > index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() > (line#:172)\nCall#:3 => authentication.php:doQuery() > (line#:114)\n\nBacktrace with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 > => index.php:initGlobals() > (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => > utils.php:readAuthCookie() > (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => > authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => > SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => > 101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/ > [Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client > 10.32.14.218:56406] PHP Fatal error: Call to undefined function > getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234, > referer: https://vcl.hostos.cuny.edu/vcl/ > > > ________________________________ > From: MARTINEZ, ARIEL > Sent: Thursday, September 24, 2020 11:36 AM > To: [email protected] > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > I finally got Shibboleth to work properly on the default /secure > directory, and the Shibboleth attributes in $_SERVER are now present, > including SHIB_EPPN. However, after authenticating, I am still getting back > to the VCL login page. > > I double checked the httpd.conf and shib.conf for any other blocks that > may be enforcing Shibboleth and the only one is in .htaccess in the /vcl > directory with the following lines: > > AuthType shibboleth > ShibRequireSession Off > require shibboleth > > In the affiliation database I set the shibname back to null on an exsiting > affiliation, so everything is back to default settings per se. > > > Should I retry the shibboleth instructions using the /shibauth directory > or do you think I should try something else? > > Thanks > > > > > From: Mike Jennings <[email protected]> > Sent: Monday, September 14, 2020 6:21 PM > To: [email protected] > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > Importance: Low > > > You might want to look at this documentation > > Mike > > https://wiki.shibboleth.net/confluence/display/SP3/ADFS > > > > On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]>> wrote: > The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I > attached a copy replacing values with MYDOMAIN > > > > > > Thanks > > > > ________________________________ > > From: Mike Jennings <[email protected]<mailto:[email protected]>> > > Sent: Monday, September 14, 2020 5:59 PM > > To: [email protected]<mailto:[email protected]> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > Can you tell me what your RequestMap section looks like in your > shibboleth2.xml file > > > > On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected]>>> > wrote: > > Nope you should not.... > > > > Are you running a shibboleth idp or a adfs > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> wrote: > > Tried that, but same result. > > > > In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be > changed to SHIB_EPPN as well? > > > > Thanks > > > > From: Mike Jennings <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> > > Sent: Monday, September 14, 2020 5:14 PM > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > Importance: Low > > > > try setting ShibRequireSession On > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> wrote: > > I made the change but it still doesn’t show up in $_SERVER. > Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after > updating the attribute map xml > > > > Thanks > > > > > > From: Mike Jennings <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> > > Sent: Monday, September 14, 2020 5:02 PM > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > Importance: Low > > > > Yes, after checking the attribute-map.xml file that you sent me, change > the eppn lines to SHIB_EPPN and then reboot the shibd process.... > > > > This should pick up the changes in the attribute map and make things work. > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> wrote: > > Yes, I looked through the shibd.log initially and it looked normal no > errors that would give a clue to what is happening. I have a test.php file > in the vcl directory and it prints out many variables except for anything > related to Shibboleth. I've attached the attribute-map.xml file. > > > > > > Thanks > > > > ________________________________ > > From: Mike Jennings <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> > > Sent: Monday, September 14, 2020 4:46 PM > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > Have you looked for any errors in the shibd.log or the transaction.logs of > the shibboleth service provider. > > > > Also have you tried to add a php file to dump the data in the vcl > directory that contains > > > > <?php print_r($_SERVER) ?> > > > > and what does that print out > > > > Also can you send me a copy of your attribute-map.xml file > > > > Mike > > > > On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>><mailto:[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>>> wrote: > > Hi Mike, > > > > Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the > Shibboleth SP appears to be running correctly. I can see eppn, mail and > displayname (haven’t included affiliation) in the session after > authenticating. > > > > I just can’t figure out why the $_SERVER variable does not have any > Shibboleth data even though the session is established. Because of this, > the authentication in VCL is not working. > > > > I have a .htaccess file in /var/www/html/vcl directory with the following: > > > > Authtype shibboleth > > ShibRequireSession off > > Require shibboleth > > > > So when I select the configured SSO option in the VCL login, I get > redirected to my identity provider and it gets redirected back to the /vcl > webpage but it doesn’t log in. > > > > Thanks > > > > > > From: Mike Jennings <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto:[email protected] > <mailto:[email protected]><mailto:[email protected]<mailto: > [email protected]>>>> > > Sent: Monday, September 14, 2020 11:17 AM > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > Importance: Low > > > > Martinez, > > > > Sorry I am a little late to the game here. > > > > It has been a long time since I have worked with a Shibboleth SP. > > > > I am currently assuming that you have setup the Shibboleth SP on a Apache > HTTPS server. > > > > I am assuming that you can do the initial test correctly > > > > > > You can test to ensure that the SP is running properly and the surrounding > environment is correct by accessing > https://localhost/Shibboleth.sso/Status from the actual web server > machine. You MUST use "localhost" as the hostname or it WILL NOT WORK by > default. If this test is successful, then the software is ready for further > configuration. > > > > You can also access the Status handler from other clients or using a > non-localhost name, but only if you change the acl parameter in the > configuration to permit your client address or remove it entirely to open > up access to anybody. The ACL is present by default because the Status > handler can return some arguably sensitive information about your > configuration. > > > > > > You have the attribute-map.xml configured correctly. You might need to > contact the Shibboleth IdP Administrator to verify he is releasing > attributes to your sp and what values need to be modified in that file. > > > > Thanks, > > > > Mike Jennings > > > > On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>><mailto:[email protected] > <mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>>> wrote: > > Hi Josh, > > > > Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the > $_SERVER array. There is no other Shibboleth related entry other than the > shib session string HTTP_COOKIE. > > > > Not sure how to correct this. How can the required entry be made to be > included in the array? > > > > Thanks > > > > On Sep 11, 2020 5:39 PM, Josh Thompson <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>><mailto:[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>>>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Ariel, > > > > Toward the top of initGlobals in utils.php, there is a small block of code > > that tests conditions for each authentication method if the user is not > logged > > in, and if that authentication method's test function returns true, it will > > then call that authentication method's authentication function. It's the > > "else" block that starts on line 176 of the 2.5.1 release. > > > > The shibauth.php module uses testShibAuth as the test function. All it > does > > is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will > > not attempt to authenticate the user using Shibboleth. An easy way to test > > this is to temporarily put a file in the same directory as the main VCL > > index.php directory that just has this in it: > > > > <?php > > print "<pre>\n"; > > print_r($_SERVER); > > print "</pre>\n"; > > ?> > > > > Don't leave the file in there beyond the testing since it can disclose > various > > information about your system. > > > > If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your > > problem. If your Shibboleth configuration is using something different > than > > 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. > > > > The VCL php code doesn't log anywhere other than where php errors would be > > going. Look in to configuring php errors for httpd to get that set up. My > > experience has been that systems generally don't log php errors anywhere by > > default. > > > > Josh > > > > On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: > > > I have been looking further into the shibauth.php file to see what is > > > supposed to happen when a shibboleth login happens. For starters, it > > > creates an affiliation in the affiliation table if it does not find one > > > from the attributes received from the identity provider. However it > doesn't > > > seem to be executing that code. It at the very least should have > generated > > > an error message when trying to automatically create an affiliation if it > > > failed. > > > > > > Is there any way to troubleshoot shibauth.php to see what is happening? > Or > > > is this particular function logged somewhere in particular? > > > > > > Thanks. > > > > > > > > > -----Original Message----- > > > From: MARTINEZ, ARIEL > > > Sent: Sunday, August 30, 2020 1:11 PM > > > To: '[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>>' <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected] > >><mailto:[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>>> > > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > > > I don't know what else to really try because as far as Shibboleth is > > > concerned, it appears to be working. So I went to the > > > /Shibboleth.sso/Session URL after logging in and the following is > > > displayed, I replaced some values that should not be public: > > > > > > Miscellaneous > > > Session Expiration (barring inactivity): 478 minute(s) Client Address: > > > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Identity > > > Provider: (idp entity ID) > > > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context > Class: > > > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > > Authentication Context Decl: (none) > > > > > > Attributes > > > affiliation: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto:[email protected] > <mailto:[email protected]><mailto:[email protected]<mailto: > [email protected]>>> > > > eppn: [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>><mailto:[email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>>>;[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto: > [email protected]>>> > > > upn: [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>><mailto:[email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto:[email protected]>>> > > > > > > > > > Unless eppn should not have two values, as far as I can tell, the proper > > > values required by VCL are present. In the VCL database affiliation > table, > > > I have populated an existing VCL Affiliation that is configured to use > LDAP > > > with the domain.com<http://domain.com><http://domain.com>< > http://domain.com> value under shibname. I also tried creating a new > > > affiliation setting shibonly to 1 > > > > > > I still get the same behavior where, after selecting the Shibboleth > > > authentication method and signing in at my idp, it gets redirected back > to > > > the /vcl directory to choose an authentication method. > > > > > > > > > -----Original Message----- > > > From: MARTINEZ, ARIEL > > > Sent: Thursday, August 27, 2020 3:00 PM > > > To: '[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>>' <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto:[email protected] > >><mailto:[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>>> > > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > > > After login nothing is happening still. So I moved the test.php file from > > > the old Shibboleth instructions to my main VCL directory and set the > > > conf.php file to redirect to this file after login and the attributes are > > > all undefined. > > > > > > Is this sufficient to say with a high level of certainty that my IDP is > not > > > sending VCL what it is expecting? Or is the test.php not meant to work > that > > > way? > > > > > > Thanks > > > > > > -----Original Message----- > > > From: MARTINEZ, ARIEL > > > Sent: Wednesday, August 26, 2020 11:14 AM > > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> > > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > > > Hi Josh, > > > > > > Last question before I try again, there is no shibboleth affiliation in > my > > > VCL database. So should I be creating a new affiliation for shibboleth > and > > > populating the shibname field, or should I use the existing LDAP > configured > > > affiliation and populate its shibname field? > > > > > > Thanks > > > > > > -----Original Message----- > > > From: Josh Thompson <[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>><mailto:[email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>>>> > > > Sent: Wednesday, August 26, 2020 11:04 AM > > > To: [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>><mailto: > [email protected]<mailto:[email protected]><mailto:[email protected] > <mailto:[email protected]>>> > > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > - -- > > - ------------------------------- > > Josh Thompson > > VCL Developer > > North Carolina State University > > > > my GPG/PGP key can be found on pool.sks-keyservers.net< > http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>< > http://pool.sks-keyservers.net> > > > > All electronic mail messages in connection with State business which > > are sent to or received by this account are subject to the NC Public > > Records Law and may be disclosed to third parties. > > -----BEGIN PGP SIGNATURE----- > > > > iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 > > A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= > > =jMJR > > -----END PGP SIGNATURE----- >
