Shibboleth Authentication in VCL
Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University
Re: Shibboleth Authentication in VCL
On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-
Re: Shibboleth Authentication in VCL
Ok, we see two affiliations in the database, Local Global. Both were set to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's back end authentication. We set the Global shibonly field to 1 and tried it. It still behaves the same, no new users are entered in the database. Thanks, Al Quiros Florida International University On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-
Re: Shibboleth Authentication in VCL
Al, There are a variety of things to check. First, in .ht-inc/conf.php, make sure that you have an affiliation configured under $authMechs This might look something like this: $authMechs = array( Institution Name = array(type = redirect, affiliationid = 0, URL = /Shibboleth.sso/Login?target=%2Fshibauth ) ); Depending on how your SP is set up, you may or may not need additional information in the URL section of the configuration. For instance, you may want to extend the URI to include an entityID parameter that points to your IdP. Next, you will need to verify that the /shibauth directory is configured to perform Shibboleth authentication. In the /shibauth/index.php file you may want to add something like this (at the top of the file) for verification: foreach( array( eppn, sn, givenName, displayName) as $attr){ error_log(DEBUG $attr: . $_SERVER[$attr]); } Next, the users are added to the database with the updateShibUser function (called in the /shibauth/index.php file). You should check that this method is really being called. Finally, users are added to groups with the updateShibGroups function. By default, users are added to groups based on the value of $_SERVER['affiliation']. These groups tend to be prefixed with shib- and don't appear in the web UI. If you take a look at the .ht-inc/authmethods/shibauth.php file, you will see sample code in the updateShibGroups that has been commented out. If you wish to add everyone to an all users group, I would recommend using some similar code. You will just need to make sure that the group name you specify there is configured in the Privilege tree to have access to a certain image group. Aaron -- Aaron Coburn Systems Administrator and Programmer Academic Technology Services, Amherst College (413) 542-5451 acob...@amherst.edu On Feb 23, 2012, at 3:56 PM, Evelio Quiros wrote: Ok, we see two affiliations in the database, Local Global. Both were set to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's back end authentication. We set the Global shibonly field to 1 and tried it. It still behaves the same, no new users are entered in the database. Thanks, Al Quiros Florida International University On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-