RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

[MARTINEZ, ARIEL]

Hi Mike,

Just to understand better, I intend to use Active Directory groups to handle 
permissions in VCL. I already have some defined in a VCL affiliation that is 
configured for LDAP.  How would I go about configuring the same via the 
Shibboleth login? Would I need to add SHIB_AFFILIATION values into the VCL 
configuration?

I was trying to just use the ldap memberof attribute and transform the claim in 
my idp to SHIB_AFFILIATION, but I’m not sure if that is what VCL requires or is 
expecting, as each of our users would have multiple values.

Thanks

From: Mike Jennings <gmjen...@ncsu.edu>
Sent: Thursday, September 24, 2020 2:53 PM
To: user@vcl.apache.org
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low

You will need to go into your attribute map and change affiliation to 
shib_affiliation like you did for shib_eppn.  This should make the attributes 
map correctly.

Mike

On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>> wrote:
I have more troubleshooting information that may help. In shib.conf, I created 
a location block as follows:


<Location /vcl>
  AuthType shibboleth
  ShibRequestSetting requireSession false
  require shibboleth
</Location>


Doing so allows me to log into VCL, but when I click on any of the menu items I 
get a VCL error page: " An error has occured. If this problem persists, please 
email vcl_h...@example.org<mailto:vcl_h...@example.org> for further assistance. 
Please include the steps you took that led up to this problem in your email 
message."



In the ssl_error_log inside of /var/log/httpd I see the following, which the 
first error is "undefined index: SHIB_AFFILIATION". I checked the affiliation 
database and it did create an entry on its own.




[Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client 
10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice:  Undefined index: 
SHIB_AFFILIATION in /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on 
line 180, referer: https://login.hostos.cuny.edu/
[Thu Sep 24 13:21:15.542646 2020] [:error] [pid 15820] [client 
10.32.14.218:56406<http://10.32.14.218:56406>] PHP Notice:  Undefined offset: 5 
in /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: 
https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.543446 2020] [:error] [pid 15820] [client 
10.32.14.218:56406<http://10.32.14.218:56406>] You have an error in your SQL 
syntax; check the manual that corresponds to your MariaDB server version for 
the right syntax to use near '' at line 1\nSELECT ts FROM shibauth WHERE id = 
\nERROR(101): General MySQL error\nMode was 
viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => 
index.php:initGlobals() (line#:60)\nCall#:2 => utils.php:readAuthCookie() 
(line#:172)\nCall#:3 => authentication.php:doQuery() (line#:114)\n\nBacktrace 
with Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => index.php:initGlobals() 
(line#:60)\nArguments(none):\n-----------------------\nCall#:2 => 
utils.php:readAuthCookie() 
(line#:172)\nArguments(none):\n-----------------------\nCall#:3 => 
authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 => 
SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => 
101\n-----------------------\n, referer: https://vcl.hostos.cuny.edu/vcl/
[Thu Sep 24 13:21:15.610025 2020] [:error] [pid 15820] [client 
10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error:  Call to 
undefined function getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on 
line 14234, referer: https://vcl.hostos.cuny.edu/vcl/


________________________________
From: MARTINEZ, ARIEL
Sent: Thursday, September 24, 2020 11:36 AM
To: user@vcl.apache.org<mailto:user@vcl.apache.org>
Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

I finally got Shibboleth to work properly on the default /secure directory, and 
the Shibboleth attributes in $_SERVER are now present, including SHIB_EPPN. 
However, after authenticating, I am still getting back to the VCL login page.

I double checked the httpd.conf and shib.conf for any other blocks that may be 
enforcing Shibboleth and the only one is in .htaccess in the /vcl directory 
with the following lines:

AuthType shibboleth
ShibRequireSession Off
require shibboleth

In the affiliation database I set the shibname back to null on an exsiting 
affiliation, so everything is back to default settings per se.


Should I retry the shibboleth instructions using the /shibauth directory or do 
you think I should try something else?

Thanks




From: Mike Jennings <gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>
Sent: Monday, September 14, 2020 6:21 PM
To: user@vcl.apache.org<mailto:user@vcl.apache.org>
Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication
Importance: Low


You might want to look at this documentation

Mike

https://wiki.shibboleth.net/confluence/display/SP3/ADFS



On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>
 wrote:
The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so I 
attached a copy replacing values with MYDOMAIN





Thanks



________________________________

From: Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>

Sent: Monday, September 14, 2020 5:59 PM

To: 
user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>

Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication



Can you tell me what your RequestMap section looks like in your shibboleth2.xml 
file



On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>>
 wrote:

Nope you should not....



Are you running a shibboleth idp or a adfs



Mike



On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>>
 wrote:

Tried that, but same result.



In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” be 
changed to SHIB_EPPN as well?



Thanks



From: Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>>

Sent: Monday, September 14, 2020 5:14 PM

To: 
user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>

Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

Importance: Low



try setting ShibRequireSession On



Mike



On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>>
 wrote:

I made the change but it still doesn’t show up in $_SERVER. 
Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name after 
updating the attribute map xml



Thanks





From: Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>>

Sent: Monday, September 14, 2020 5:02 PM

To: 
user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>

Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

Importance: Low



Yes, after checking the attribute-map.xml file that you sent me, change the 
eppn lines to SHIB_EPPN and then reboot the shibd process....



This should pick up the changes in the attribute map and make things work.



Mike



On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>>
 wrote:

Yes, I looked through the shibd.log initially and it looked normal no errors 
that would give a clue to what is happening. I have a test.php file in the vcl 
directory and it prints out many variables except for anything related to 
Shibboleth. I've attached the attribute-map.xml file.





Thanks



________________________________

From: Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>>

Sent: Monday, September 14, 2020 4:46 PM

To: 
user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>

Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication



Have you looked for any errors in the shibd.log or the transaction.logs of the 
shibboleth service provider.



Also have you tried to add a php file to dump the data in the vcl directory 
that contains



<?php print_r($_SERVER) ?>



and what does that print out



Also can you send me a copy of your attribute-map.xml file



Mike



On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>>>
 wrote:

Hi Mike,



Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the 
Shibboleth SP appears to be running correctly. I can see eppn, mail and 
displayname (haven’t included affiliation) in the session after authenticating.



I just can’t figure out why the $_SERVER variable does not have any Shibboleth 
data even though the session is established. Because of this, the 
authentication in VCL is not working.



I have a .htaccess file in /var/www/html/vcl directory with the following:



Authtype shibboleth

ShibRequireSession off

Require shibboleth



So when I select the configured  SSO option in the VCL login, I get redirected 
to my identity provider and it gets redirected back to the /vcl webpage but it 
doesn’t log in.



Thanks





From: Mike Jennings 
<gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu><mailto:gmjen...@ncsu.edu<mailto:gmjen...@ncsu.edu>>>>>

Sent: Monday, September 14, 2020 11:17 AM

To: 
user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>

Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

Importance: Low



Martinez,



Sorry I am a little late to the game here.



It has been a long time since I have worked with a Shibboleth SP.



I am currently assuming that you have setup the Shibboleth SP on a Apache HTTPS 
server.



I am assuming that you can do the initial test correctly





You can test to ensure that the SP is running properly and the surrounding 
environment is correct by accessing https://localhost/Shibboleth.sso/Status 
from the actual web server machine. You MUST use "localhost" as the hostname or 
it WILL NOT WORK by default. If this test is successful, then the software is 
ready for further configuration.



You can also access the Status handler from other clients or using a 
non-localhost name, but only if you change the acl parameter in the 
configuration to permit your client address or remove it entirely to open up 
access to anybody. The ACL is present by default because the Status handler can 
return some arguably sensitive information about your configuration.





You have the attribute-map.xml configured correctly.  You might need to contact 
the Shibboleth IdP Administrator to verify he is releasing attributes to your 
sp and what values need to be modified in that file.



Thanks,



Mike Jennings



On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL 
<amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu><mailto:amarti...@hostos.cuny.edu<mailto:amarti...@hostos.cuny.edu>>>>>
 wrote:

Hi Josh,



Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the 
$_SERVER array. There is no other Shibboleth related entry other than the shib 
session string HTTP_COOKIE.



Not sure how to correct this. How can the required entry be made to be included 
in the array?



Thanks



On Sep 11, 2020 5:39 PM, Josh Thompson 
<josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>>>>>
 wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Hi Ariel,



Toward the top of initGlobals in utils.php, there is a small block of code

that tests conditions for each authentication method if the user is not logged

in, and if that authentication method's test function returns true, it will

then call that authentication method's authentication function.  It's the

"else" block that starts on line 176 of the 2.5.1 release.



The shibauth.php module uses testShibAuth as the test function.  All it does

is to check for $_SERVER['SHIB_EPPN'] being set.  If it is not set, it will

not attempt to authenticate the user using Shibboleth.  An easy way to test

this is to temporarily put a file in the same directory as the main VCL

index.php directory that just has this in it:



<?php

print "<pre>\n";

print_r($_SERVER);

print "</pre>\n";

?>



Don't leave the file in there beyond the testing since it can disclose various

information about your system.



If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your

problem.  If your Shibboleth configuration is using something different than

'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php.



The VCL php code doesn't log anywhere other than where php errors would be

going.  Look in to configuring php errors for httpd to get that set up.  My

experience has been that systems generally don't log php errors anywhere by

default.



Josh



On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote:

> I have been looking further into the shibauth.php file to see what is

> supposed to happen when a shibboleth login happens. For starters, it

> creates an affiliation in the affiliation table if it does not find one

> from the attributes received from the identity provider. However it doesn't

> seem to be executing that code. It at the very least should have generated

> an error message when trying to automatically create an affiliation if it

> failed.

>

> Is there any way to troubleshoot shibauth.php to see what is happening? Or

> is this particular function logged somewhere in particular?

>

> Thanks.

>

>

> -----Original Message-----

> From: MARTINEZ, ARIEL

> Sent: Sunday, August 30, 2020 1:11 PM

> To: 
> 'user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>'
>  
> <user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>>

> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

>

> I don't know what else to really try because as far as Shibboleth is

> concerned, it appears to be working. So I went to the

> /Shibboleth.sso/Session URL after logging in and the following is

> displayed, I replaced some values that should not be public:

>

> Miscellaneous

> Session Expiration (barring inactivity): 478 minute(s) Client Address:

> (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity

> Provider: (idp entity ID)

> Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context Class:

> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

> Authentication Context Decl: (none)

>

> Attributes

> affiliation: 
> mem...@domain.com<mailto:mem...@domain.com><mailto:mem...@domain.com<mailto:mem...@domain.com>><mailto:mem...@domain.com<mailto:mem...@domain.com><mailto:mem...@domain.com<mailto:mem...@domain.com>>><mailto:mem...@domain.com<mailto:mem...@domain.com><mailto:mem...@domain.com<mailto:mem...@domain.com>><mailto:mem...@domain.com<mailto:mem...@domain.com><mailto:mem...@domain.com<mailto:mem...@domain.com>>>>

> eppn: 
> u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>>>;u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>>>

> upn: 
> u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>><mailto:u...@domain.com<mailto:u...@domain.com><mailto:u...@domain.com<mailto:u...@domain.com>>>>

>

>

> Unless eppn should not have two values, as far as I can tell, the proper

> values required by VCL are present. In the VCL database affiliation table,

> I have populated an existing VCL Affiliation that is configured to use LDAP

> with the 
> domain.com<http://domain.com><http://domain.com><http://domain.com><http://domain.com>
>  value under shibname. I also tried creating a new

> affiliation setting shibonly to 1

>

> I still get the same behavior where, after selecting the Shibboleth

> authentication method and signing in at my idp, it gets redirected back to

> the /vcl directory to choose an authentication method.

>

>

> -----Original Message-----

> From: MARTINEZ, ARIEL

> Sent: Thursday, August 27, 2020 3:00 PM

> To: 
> 'user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>'
>  
> <user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>>

> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

>

> After login nothing is happening still. So I moved the test.php file from

> the old Shibboleth instructions to my main VCL directory and set the

> conf.php file to redirect to this file after login and the attributes are

> all undefined.

>

> Is this sufficient to say with a high level of certainty that my IDP is not

> sending VCL what it is expecting? Or is the test.php not meant to work that

> way?

>

> Thanks

>

> -----Original Message-----

> From: MARTINEZ, ARIEL

> Sent: Wednesday, August 26, 2020 11:14 AM

> To: 
> user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>

> Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication

>

> Hi Josh,

>

> Last question before I try again, there is no shibboleth affiliation in my

> VCL database. So should I be creating a new affiliation for shibboleth and

> populating the shibname field, or should I use the existing LDAP configured

> affiliation and populate its shibname field?

>

> Thanks

>

> -----Original Message-----

> From: Josh Thompson 
> <josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu><mailto:josh_thomp...@ncsu.edu<mailto:josh_thomp...@ncsu.edu>>>>>

> Sent: Wednesday, August 26, 2020 11:04 AM

> To: 
> user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org><mailto:user@vcl.apache.org<mailto:user@vcl.apache.org>>>>

> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication



- --

- -------------------------------

Josh Thompson

VCL Developer

North Carolina State University



my GPG/PGP key can be found on 
pool.sks-keyservers.net<http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net><http://pool.sks-keyservers.net>



All electronic mail messages in connection with State business which

are sent to or received by this account are subject to the NC Public

Records Law and may be disclosed to third parties.

-----BEGIN PGP SIGNATURE-----



iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209

A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48=

=jMJR

-----END PGP SIGNATURE-----