Shibboleth Authentication in VCL
Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University
Re: Shibboleth Authentication in VCL
On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-
Re: Shibboleth Authentication in VCL
Ok, we see two affiliations in the database, Local Global. Both were set to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's back end authentication. We set the Global shibonly field to 1 and tried it. It still behaves the same, no new users are entered in the database. Thanks, Al Quiros Florida International University On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: Hello, We are trying to configure Shibboleth for VCL. We have gotten to the point where a user is able to log in successfully, so the $_SERVER values are ok, but it does not add the new user into the database. Doing a search for that username shows nothing, even though we were able to login successfully. Consequently, the logged in user has no privileges, and cannot make reservations. Any ideas on what we may be missing ? Thanks, Al Quiros Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-
Re: Shibboleth Authentication in VCL
Al,
There are a variety of things to check.
First, in .ht-inc/conf.php, make sure that you have an affiliation configured
under $authMechs
This might look something like this:
$authMechs = array(
Institution Name = array(type = redirect,
affiliationid = 0,
URL =
/Shibboleth.sso/Login?target=%2Fshibauth
)
);
Depending on how your SP is set up, you may or may not need additional
information in the URL section of the configuration. For instance, you may want
to extend the URI to include an entityID parameter that points to your IdP.
Next, you will need to verify that the /shibauth directory is configured to
perform Shibboleth authentication. In the /shibauth/index.php file you may want
to add something like this (at the top of the file) for verification:
foreach( array( eppn, sn, givenName, displayName) as $attr){
error_log(DEBUG $attr: . $_SERVER[$attr]);
}
Next, the users are added to the database with the updateShibUser function
(called in the /shibauth/index.php file). You should check that this method is
really being called.
Finally, users are added to groups with the updateShibGroups function. By
default, users are added to groups based on the value of
$_SERVER['affiliation']. These groups tend to be prefixed with shib- and
don't appear in the web UI. If you take a look at the
.ht-inc/authmethods/shibauth.php file, you will see sample code in the
updateShibGroups that has been commented out. If you wish to add everyone to an
all users group, I would recommend using some similar code. You will just
need to make sure that the group name you specify there is configured in the
Privilege tree to have access to a certain image group.
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
(413) 542-5451 acob...@amherst.edu
On Feb 23, 2012, at 3:56 PM, Evelio Quiros wrote:
Ok, we see two affiliations in the database, Local Global. Both were set
to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's
back end authentication. We set the Global shibonly field to 1 and tried
it. It still behaves the same, no new users are entered in the database.
Thanks,
Al Quiros
Florida International University
On 2/23/12 3:08 PM, Josh Thompson josh_thomp...@ncsu.edu wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Al,
Are you using Shibboleth by itself or in conjunction with LDAP? If not
with
LDAP, do you have affiliation.shibonly set to 1 for any affiliations
logging
in with Shibboleth?
Josh
On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote:
Hello,
We are trying to configure Shibboleth for VCL. We have gotten to the
point
where a user is able to log in successfully, so the $_SERVER values are
ok,
but it does not add the new user into the database. Doing a search for
that
username shows nothing, even though we were able to login successfully.
Consequently, the logged in user has no privileges, and cannot make
reservations. Any ideas on what we may be missing ?
Thanks,
Al Quiros
Florida International University
- --
- ---
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)
iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2
MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd
=O91X
-END PGP SIGNATURE-
