Hi Josh, I added the line but could not find where php would be logging the errors. It wasn't inside of /var/log/httpd and I didn't find anything php specific outside. In a default installation, where would this be logged to?
I checked Shib_Session_ID after the error and it is populated. Thanks -----Original Message----- From: Josh Thompson <[email protected]> Sent: Tuesday, September 29, 2020 4:28 PM To: [email protected] Cc: MARTINEZ, ARIEL <[email protected]> Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication Importance: Low -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ariel, The fact that you can go through the authentication and get back to VCL logged in means the Shibboleth authentication part is at least mostly working. Can you log out of VCL and then ensure the VCLAUTH cookie has been deleted? Then, in authentication.php, after line 94 which should be: # $loginid|$remoteIP|$ts|$authtype|$shibauthid (shibauthd optional) add error_log("tmp: >{$tmp}<"); Next, log in and click on somewhere that is giving an error. Finally, check your php error log to see what the value of $tmp was. The >< characters are just to provide some visual delimiters in the log file so you know if any whitespace was included at the beginning or end. $tmp should be the values associated with the variables listed from line 94 listed above. It sounds like there's a problem with $shibauthid. $shibauthid is related to a record inserted into the database that also includes a value from $_SERVER['Shib-Session-ID']. Can you tell if Shib- Session-ID is available in $_SERVER? Josh On Friday, September 25, 2020 12:39:03 PM EDT MARTINEZ, ARIEL wrote: > I think I confused SHIB_AFFILIATION with AD groups. But I have now > confirmed that the SHIB_AFFILIATION is being populated from my idp. I > logged in locally to VCL and I saw it created an allusers group and a > shib-member group, and the account I used to log in is a member of it. > I gave it the same permissions as my AD group from the LDAP > configuration and proceeded to test again. But I am still getting an error > page after I log in. > > > This time the httpd ssl_error_log logged the following, and no longer > refers to shib affiliation: > > > [Fri Sep 25 12:32:23.943499 2020] [:error] [pid 8232] [client > 10.32.14.218:52076] PHP Notice: Undefined offset: 5 in > /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: > https://vcl.hostos.cuny.edu/vcl/ [Fri Sep 25 12:32:23.944325 2020] > [:error] [pid 8232] [client 10.32.14.218:52076] You have an error in > your SQL syntax; check the manual that corresponds to your MariaDB > server version for the right syntax to use near '' at line 1\nSELECT > ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode > was > viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => > index.php:initGlobals() (line#:60)\nCall#:2 => > utils.php:readAuthCookie() > (line#:172)\nCall#:3 => authentication.php:doQuery() > (line#:114)\n\nBacktrace with > Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 > => index.php:initGlobals() > (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => > utils.php:readAuthCookie() > (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => > authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 > => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => > 101\n-----------------------\n, referer: > https://vcl.hostos.cuny.edu/vcl/ [Fri Sep 25 12:32:24.012667 2020] > [:error] [pid 8232] [client 10.32.14.218:52076] PHP Fatal error: Call > to undefined function > getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line > 14234, > referer: https://vcl.hostos.cuny.edu/vcl/ > > ________________________________ > From: MARTINEZ, ARIEL > Sent: Thursday, September 24, 2020 3:29 PM > To: [email protected] > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > Hi Mike, > > Just to understand better, I intend to use Active Directory groups to > handle permissions in VCL. I already have some defined in a VCL > affiliation that is configured for LDAP. How would I go about > configuring the same via the Shibboleth login? Would I need to add > SHIB_AFFILIATION values into the VCL configuration? > > I was trying to just use the ldap memberof attribute and transform the > claim in my idp to SHIB_AFFILIATION, but I’m not sure if that is what > VCL requires or is expecting, as each of our users would have multiple values. > > Thanks > > From: Mike Jennings <[email protected]> > Sent: Thursday, September 24, 2020 2:53 PM > To: [email protected] > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > Importance: Low > > You will need to go into your attribute map and change affiliation to > shib_affiliation like you did for shib_eppn. This should make the > attributes map correctly. > > Mike > > On Thu, Sep 24, 2020 at 1:28 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]>> wrote: I > have more troubleshooting information that may help. In shib.conf, I > created a location block as follows: > > > <Location /vcl> > AuthType shibboleth > ShibRequestSetting requireSession false > require shibboleth > </Location> > > > Doing so allows me to log into VCL, but when I click on any of the > menu items I get a VCL error page: " An error has occured. If this > problem persists, please email > [email protected]<mailto:[email protected]> > for further assistance. Please include the steps you took that led up > to this problem in your email message." > > > > In the ssl_error_log inside of /var/log/httpd I see the following, > which the first error is "undefined index: SHIB_AFFILIATION". I > checked the affiliation database and it did create an entry on its own. > > > > > [Thu Sep 24 13:21:01.827984 2020] [:error] [pid 15823] [client > 10.32.14.218:56400<http://10.32.14.218:56400>] PHP Notice: Undefined > index: SHIB_AFFILIATION in > /var/www/html/vcl-2.5.1/.ht-inc/authmethods/shibauth.php on line 180, > referer: https://login.hostos.cuny.edu/ [Thu Sep 24 13:21:15.542646 > 2020] [:error] [pid 15820] [client > 10.32.14.218:56406<http://10.32.14.218:56406>] > PHP Notice: Undefined offset: 5 in > /var/www/html/vcl-2.5.1/.ht-inc/authentication.php on line 110, referer: > https://vcl.hostos.cuny.edu/vcl/ [Thu Sep 24 13:21:15.543446 2020] > [:error] [pid 15820] [client > 10.32.14.218:56406<http://10.32.14.218:56406>] You have an error in > your SQL syntax; check the manual that corresponds to your MariaDB > server version for the right syntax to use near '' at line 1\nSELECT > ts FROM shibauth WHERE id = \nERROR(101): General MySQL error\nMode > was > viewRequests\n\n\nBacktrace:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 => > index.php:initGlobals() (line#:60)\nCall#:2 => > utils.php:readAuthCookie() > (line#:172)\nCall#:3 => authentication.php:doQuery() > (line#:114)\n\nBacktrace with > Arguments:\n=-=-=-=-=-=-=-=-=-=-=-=\nCall#:1 > => index.php:initGlobals() > (line#:60)\nArguments(none):\n-----------------------\nCall#:2 => > utils.php:readAuthCookie() > (line#:172)\nArguments(none):\n-----------------------\nCall#:3 => > authentication.php:doQuery() (line#:114)\nArguments(2)\n\nArgument#: 1 > => SELECT ts FROM shibauth WHERE id = \nArgument#: 2 => > 101\n-----------------------\n, referer: > https://vcl.hostos.cuny.edu/vcl/ [Thu Sep 24 13:21:15.610025 2020] > [:error] [pid 15820] [client > 10.32.14.218:56406<http://10.32.14.218:56406>] PHP Fatal error: Call > to undefined function getFooter() in > /var/www/html/vcl-2.5.1/.ht-inc/utils.php > on line 14234, referer: https://vcl.hostos.cuny.edu/vcl/ > > > ________________________________ > From: MARTINEZ, ARIEL > Sent: Thursday, September 24, 2020 11:36 AM > To: [email protected]<mailto:[email protected]> > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > I finally got Shibboleth to work properly on the default /secure > directory, and the Shibboleth attributes in $_SERVER are now present, > including SHIB_EPPN. However, after authenticating, I am still getting > back to the VCL login page. > > I double checked the httpd.conf and shib.conf for any other blocks > that may be enforcing Shibboleth and the only one is in .htaccess in > the /vcl directory with the following lines: > > AuthType shibboleth > ShibRequireSession Off > require shibboleth > > In the affiliation database I set the shibname back to null on an > exsiting affiliation, so everything is back to default settings per se. > > > Should I retry the shibboleth instructions using the /shibauth > directory or do you think I should try something else? > > Thanks > > > > > From: Mike Jennings <[email protected]<mailto:[email protected]>> > Sent: Monday, September 14, 2020 6:21 PM > To: [email protected]<mailto:[email protected]> > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > Importance: Low > > > You might want to look at this documentation > > Mike > > https://wiki.shibboleth.net/confluence/display/SP3/ADFS > > > > On Mon, Sep 14, 2020 at 6:17 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN [email protected]<mailto:[email protected]>>> wrote: > The idp is ADFS. I don't see a RequestMap block in shibboleth2.xml so > I attached a copy replacing values with MYDOMAIN > > > > > > Thanks > > > > ________________________________ > > From: Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>>> > > Sent: Monday, September 14, 2020 5:59 PM > > To: > [email protected]<mailto:[email protected]><mailto:[email protected] > .org< > mailto:[email protected]>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > > > Can you tell me what your RequestMap section looks like in your > shibboleth2.xml file > > > > On Mon, Sep 14, 2020 at 5:57 PM Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > u><mai lto:[email protected]<mailto:[email protected]>>>> wrote: > > Nope you should not.... > > > > Are you running a shibboleth idp or a adfs > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:18 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN > [email protected]<mailto:[email protected]>><mailto:AMARTINEZ > @hosto > s.cuny.edu<mailto:[email protected]><mailto:[email protected] > uny.ed u<mailto:[email protected]>>>> wrote: > > Tried that, but same result. > > > > In Shibboleth2.xml file, should REMOTE_USER = “eduPersonPrincipalName” > be changed to SHIB_EPPN as well? > > > > Thanks > > > > From: Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > u><mai lto:[email protected]<mailto:[email protected]>>>> > > Sent: Monday, September 14, 2020 5:14 PM > > To: > [email protected]<mailto:[email protected]><mailto:[email protected] > .org< > mailto:[email protected]>><mailto:[email protected]<mailto:user@vc > l.apac > he.org><mailto:[email protected]<mailto:[email protected]>>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > Importance: Low > > > > try setting ShibRequireSession On > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:07 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN > [email protected]<mailto:[email protected]>><mailto:AMARTINEZ > @hosto > s.cuny.edu<mailto:[email protected]><mailto:[email protected] > uny.ed u<mailto:[email protected]>>>> wrote: > > I made the change but it still doesn’t show up in $_SERVER. > Shibboleth.sso/Session now shows SHIB_EPPN for the attribute name > after updating the attribute map xml > > > > Thanks > > > > > > From: Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > u><mai lto:[email protected]<mailto:[email protected]>>>> > > Sent: Monday, September 14, 2020 5:02 PM > > To: > [email protected]<mailto:[email protected]><mailto:[email protected] > .org< > mailto:[email protected]>><mailto:[email protected]<mailto:user@vc > l.apac > he.org><mailto:[email protected]<mailto:[email protected]>>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > Importance: Low > > > > Yes, after checking the attribute-map.xml file that you sent me, > change the eppn lines to SHIB_EPPN and then reboot the shibd process.... > > > > This should pick up the changes in the attribute map and make things work. > > > > Mike > > > > On Mon, Sep 14, 2020 at 5:00 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN > [email protected]<mailto:[email protected]>><mailto:AMARTINEZ > @hosto > s.cuny.edu<mailto:[email protected]><mailto:[email protected] > uny.ed u<mailto:[email protected]>>>> wrote: > > Yes, I looked through the shibd.log initially and it looked normal no > errors that would give a clue to what is happening. I have a test.php > file in the vcl directory and it prints out many variables except for > anything related to Shibboleth. I've attached the attribute-map.xml file. > > > > > > Thanks > > > > ________________________________ > > From: Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > u><mai lto:[email protected]<mailto:[email protected]>>>> > > Sent: Monday, September 14, 2020 4:46 PM > > To: > [email protected]<mailto:[email protected]><mailto:[email protected] > .org< > mailto:[email protected]>><mailto:[email protected]<mailto:user@vc > l.apac > he.org><mailto:[email protected]<mailto:[email protected]>>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > > > Have you looked for any errors in the shibd.log or the > transaction.logs of the shibboleth service provider. > > > > Also have you tried to add a php file to dump the data in the vcl > directory that contains > > > > <?php print_r($_SERVER) ?> > > > > and what does that print out > > > > Also can you send me a copy of your attribute-map.xml file > > > > Mike > > > > On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN > [email protected]<mailto:[email protected]>><mailto:AMARTINEZ > @hosto > s.cuny.edu<mailto:[email protected]><mailto:[email protected] > uny.ed > u<mailto:[email protected]>>><mailto:[email protected] > <mailt > o:[email protected]><mailto:[email protected]<mailto:A > MARTIN > [email protected]>><mailto:[email protected]<mailto:AMARTINEZ > @hosto > s.cuny.edu><mailto:[email protected]<mailto:[email protected] > uny.ed > u>>>>> wrote: > > Hi Mike, > > > > Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that > the Shibboleth SP appears to be running correctly. I can see eppn, > mail and displayname (haven’t included affiliation) in the session > after authenticating. > > > > I just can’t figure out why the $_SERVER variable does not have any > Shibboleth data even though the session is established. Because of > this, the authentication in VCL is not working. > > > > I have a .htaccess file in /var/www/html/vcl directory with the following: > > > > Authtype shibboleth > > ShibRequireSession off > > Require shibboleth > > > > So when I select the configured SSO option in the VCL login, I get > redirected to my identity provider and it gets redirected back to the > /vcl webpage but it doesn’t log in. > > > > Thanks > > > > > > From: Mike Jennings > <[email protected]<mailto:[email protected]><mailto:[email protected]< > mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > u><mai > lto:[email protected]<mailto:[email protected]>>><mailto:gmjennin@ncsu > .edu<m > ailto:[email protected]><mailto:[email protected]<mailto:gmjennin@ncsu > .edu>> > <mailto:[email protected]<mailto:[email protected]><mailto:gmjennin@nc > su.edu > <mailto:[email protected]>>>>> > > Sent: Monday, September 14, 2020 11:17 AM > > To: > [email protected]<mailto:[email protected]><mailto:[email protected] > .org< > mailto:[email protected]>><mailto:[email protected]<mailto:user@vc > l.apac > he.org><mailto:[email protected]<mailto:[email protected]>>><mailt > o:user > @vcl.apache.org<mailto:[email protected]><mailto:[email protected] > <mailt > o:[email protected]>><mailto:[email protected]<mailto:[email protected] > che.or > g><mailto:[email protected]<mailto:[email protected]>>>> > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO > Authentication > > Importance: Low > > > > Martinez, > > > > Sorry I am a little late to the game here. > > > > It has been a long time since I have worked with a Shibboleth SP. > > > > I am currently assuming that you have setup the Shibboleth SP on a > Apache HTTPS server. > > > > I am assuming that you can do the initial test correctly > > > > > > You can test to ensure that the SP is running properly and the > surrounding environment is correct by accessing > https://localhost/Shibboleth.sso/Status > from the actual web server machine. You MUST use "localhost" as the > hostname or it WILL NOT WORK by default. If this test is successful, > then the software is ready for further configuration. > > > > You can also access the Status handler from other clients or using a > non-localhost name, but only if you change the acl parameter in the > configuration to permit your client address or remove it entirely to > open up access to anybody. The ACL is present by default because the > Status handler can return some arguably sensitive information about > your configuration. > > > > > > You have the attribute-map.xml configured correctly. You might need > to contact the Shibboleth IdP Administrator to verify he is releasing > attributes to your sp and what values need to be modified in that file. > > > > Thanks, > > > > Mike Jennings > > > > On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL > <[email protected]<mailto:[email protected]><mailto:AM > ARTIN > [email protected]<mailto:[email protected]>><mailto:AMARTINEZ > @hosto > s.cuny.edu<mailto:[email protected]><mailto:[email protected] > uny.ed > u<mailto:[email protected]>>><mailto:[email protected] > <mailt > o:[email protected]><mailto:[email protected]<mailto:A > MARTIN > [email protected]>><mailto:[email protected]<mailto:AMARTINEZ > @hosto > s.cuny.edu><mailto:[email protected]<mailto:[email protected] > uny.ed > u>>>>> wrote: > > Hi Josh, > > > > Thanks for this info. The problem is that there is no 'SHIB_EPPN' in > the $_SERVER array. There is no other Shibboleth related entry other > than the shib session string HTTP_COOKIE. > > > > Not sure how to correct this. How can the required entry be made to be > included in the array? > > > > Thanks > > > > On Sep 11, 2020 5:39 PM, Josh Thompson > <[email protected]<mailto:[email protected]><mailto:josh_tho > mpson > @ncsu.edu<mailto:[email protected]>><mailto:[email protected] > u<mail > to:[email protected]><mailto:[email protected]<mailto:josh_t > hompso > [email protected]>>><mailto:[email protected]<mailto:josh_thompson@ncsu. > edu><m > ailto:[email protected]<mailto:[email protected]>><mailto:jo > sh_tho > [email protected]<mailto:[email protected]><mailto:josh_thompson@ncs > u.edu< mailto:[email protected]>>>>> wrote: - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX3OYvQAKCRBX8tBw1209 A6/JAJ9gNUAsT+3r0Js5ktrs+vSdj4bDPACcDqGqN2g6gk/2I40ecQISFni5oHE= =BVsy -----END PGP SIGNATURE-----
