Re: Shibboleth Authentication in VCL
Al,
There are a variety of things to check.
First, in .ht-inc/conf.php, make sure that you have an affiliation configured
under $authMechs
This might look something like this:
$authMechs = array(
"Institution Name" => array("type" => "redirect",
"affiliationid" => 0,
"URL" =>
"/Shibboleth.sso/Login?target=%2Fshibauth"
)
);
Depending on how your SP is set up, you may or may not need additional
information in the URL section of the configuration. For instance, you may want
to extend the URI to include an entityID parameter that points to your IdP.
Next, you will need to verify that the /shibauth directory is configured to
perform Shibboleth authentication. In the /shibauth/index.php file you may want
to add something like this (at the top of the file) for verification:
foreach( array( "eppn", "sn", "givenName", "displayName") as $attr){
error_log("DEBUG $attr: " . $_SERVER[$attr]);
}
Next, the users are added to the database with the updateShibUser function
(called in the /shibauth/index.php file). You should check that this method is
really being called.
Finally, users are added to groups with the updateShibGroups function. By
default, users are added to groups based on the value of
$_SERVER['affiliation']. These groups tend to be prefixed with "shib-" and
don't appear in the web UI. If you take a look at the
.ht-inc/authmethods/shibauth.php file, you will see sample code in the
updateShibGroups that has been commented out. If you wish to add everyone to an
"all users" group, I would recommend using some similar code. You will just
need to make sure that the group name you specify there is configured in the
Privilege tree to have access to a certain image group.
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
(413) 542-5451 acob...@amherst.edu
On Feb 23, 2012, at 3:56 PM, Evelio Quiros wrote:
> Ok, we see two affiliations in the database, Local & Global. Both were set
> to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's
> back end authentication. We set the Global shibonly field to 1 and tried
> it. It still behaves the same, no new users are entered in the database.
>
> Thanks,
> Al Quiros
> Florida International University
>
>
>
>
>
> On 2/23/12 3:08 PM, "Josh Thompson" wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Al,
>>
>> Are you using Shibboleth by itself or in conjunction with LDAP? If not
>> with
>> LDAP, do you have affiliation.shibonly set to 1 for any affiliations
>> logging
>> in with Shibboleth?
>>
>> Josh
>>
>> On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote:
>>> Hello,
>>>
>>> We are trying to configure Shibboleth for VCL. We have gotten to the
>>> point
>>> where a user is able to log in successfully, so the $_SERVER values are
>>> ok,
>>> but it does not add the new user into the database. Doing a search for
>>> that
>>> username shows nothing, even though we were able to login successfully.
>>> Consequently, the logged in user has no privileges, and cannot make
>>> reservations. Any ideas on what we may be missing ?
>>>
>>> Thanks,
>>> Al Quiros
>>> Florida International University
>> - --
>> - ---
>> Josh Thompson
>> VCL Developer
>> North Carolina State University
>>
>> my GPG/PGP key can be found at pgp.mit.edu
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.17 (GNU/Linux)
>>
>> iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2
>> MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd
>> =O91X
>> -END PGP SIGNATURE-
>>
>
Re: Shibboleth Authentication in VCL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest adding a new affiliation instead of using Global. Global was intended for things like creating a user group that should have access to stuff related to any affiliation. Once you have added that affiliation, set shibonly to 1 and set shibname to the part after @ for a user's eppn. For example, my eppn at NCSU is jftho...@ncsu.edu. So, for the NCSU affiliation in our database, shibname is set to 'ncsu.edu'. Let me know if that gets you any further. Also, Aaron Coburn and Jim O'Dell might have some good input. They have more general Shibboleth experience than I do. Josh On Thursday 23 February 2012 8:56:21 PM Evelio Quiros wrote: > Ok, we see two affiliations in the database, Local & Global. Both were set > to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's > back end authentication. We set the Global shibonly field to 1 and tried > it. It still behaves the same, no new users are entered in the database. > > Thanks, > Al Quiros > Florida International University > > On 2/23/12 3:08 PM, "Josh Thompson" wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA1 > > > >Al, > > > >Are you using Shibboleth by itself or in conjunction with LDAP? If not > >with > >LDAP, do you have affiliation.shibonly set to 1 for any affiliations > >logging > >in with Shibboleth? > > > >Josh > > > >On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: > >> Hello, > >> > >> We are trying to configure Shibboleth for VCL. We have gotten to the > >> > >>point > >> > >> where a user is able to log in successfully, so the $_SERVER values > >> are > >> > >>ok, > >> > >> but it does not add the new user into the database. Doing a search for > >> > >>that > >> > >> username shows nothing, even though we were able to login > >> successfully. > >> Consequently, the logged in user has no privileges, and cannot make > >> reservations. Any ideas on what we may be missing ? > >> > >> Thanks, > >> Al Quiros > >> Florida International University > > > >- -- > >- --- > >Josh Thompson > >VCL Developer > >North Carolina State University > > > >my GPG/PGP key can be found at pgp.mit.edu > > > >All electronic mail messages in connection with State business which > >are sent to or received by this account are subject to the NC Public > >Records Law and may be disclosed to third parties. > >-BEGIN PGP SIGNATURE- > >Version: GnuPG v2.0.17 (GNU/Linux) > > > >iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 > >MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd > >=O91X > >-END PGP SIGNATURE- - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GrnUACgkQV/LQcNdtPQM9dgCeOeikJaOrZYcbDJSGZYXN/2tJ LNYAmwfxm8r6ojHUX4j7K86+JRjSv7nO =miUN -END PGP SIGNATURE-
Re: Shibboleth Authentication in VCL
Ok, we see two affiliations in the database, Local & Global. Both were set to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's back end authentication. We set the Global shibonly field to 1 and tried it. It still behaves the same, no new users are entered in the database. Thanks, Al Quiros Florida International University On 2/23/12 3:08 PM, "Josh Thompson" wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Al, > >Are you using Shibboleth by itself or in conjunction with LDAP? If not >with >LDAP, do you have affiliation.shibonly set to 1 for any affiliations >logging >in with Shibboleth? > >Josh > >On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: >> Hello, >> >> We are trying to configure Shibboleth for VCL. We have gotten to the >>point >> where a user is able to log in successfully, so the $_SERVER values are >>ok, >> but it does not add the new user into the database. Doing a search for >>that >> username shows nothing, even though we were able to login successfully. >> Consequently, the logged in user has no privileges, and cannot make >> reservations. Any ideas on what we may be missing ? >> >> Thanks, >> Al Quiros >> Florida International University >- -- >- --- >Josh Thompson >VCL Developer >North Carolina State University > >my GPG/PGP key can be found at pgp.mit.edu > >All electronic mail messages in connection with State business which >are sent to or received by this account are subject to the NC Public >Records Law and may be disclosed to third parties. >-BEGIN PGP SIGNATURE- >Version: GnuPG v2.0.17 (GNU/Linux) > >iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 >MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd >=O91X >-END PGP SIGNATURE- >
Re: Shibboleth Authentication in VCL
On 2/23/12 3:08 PM, "Josh Thompson" wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Al, > >Are you using Shibboleth by itself or in conjunction with LDAP? If not >with >LDAP, do you have affiliation.shibonly set to 1 for any affiliations >logging >in with Shibboleth? > >Josh > >On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: >> Hello, >> >> We are trying to configure Shibboleth for VCL. We have gotten to the >>point >> where a user is able to log in successfully, so the $_SERVER values are >>ok, >> but it does not add the new user into the database. Doing a search for >>that >> username shows nothing, even though we were able to login successfully. >> Consequently, the logged in user has no privileges, and cannot make >> reservations. Any ideas on what we may be missing ? >> >> Thanks, >> Al Quiros >> Florida International University >- -- >- --- >Josh Thompson >VCL Developer >North Carolina State University > >my GPG/PGP key can be found at pgp.mit.edu > >All electronic mail messages in connection with State business which >are sent to or received by this account are subject to the NC Public >Records Law and may be disclosed to third parties. >-BEGIN PGP SIGNATURE- >Version: GnuPG v2.0.17 (GNU/Linux) > >iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 >MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd >=O91X >-END PGP SIGNATURE- >
Re: Shibboleth Authentication in VCL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, Are you using Shibboleth by itself or in conjunction with LDAP? If not with LDAP, do you have affiliation.shibonly set to 1 for any affiliations logging in with Shibboleth? Josh On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote: > Hello, > > We are trying to configure Shibboleth for VCL. We have gotten to the point > where a user is able to log in successfully, so the $_SERVER values are ok, > but it does not add the new user into the database. Doing a search for that > username shows nothing, even though we were able to login successfully. > Consequently, the logged in user has no privileges, and cannot make > reservations. Any ideas on what we may be missing ? > > Thanks, > Al Quiros > Florida International University - -- - --- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2 MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd =O91X -END PGP SIGNATURE-
