Have you looked for any errors in the shibd.log or the transaction.logs of the shibboleth service provider.
Also have you tried to add a php file to dump the data in the vcl directory that contains <?php print_r($_SERVER) ?> and what does that print out Also can you send me a copy of your attribute-map.xml file Mike On Mon, Sep 14, 2020 at 4:35 PM MARTINEZ, ARIEL <amarti...@hostos.cuny.edu> wrote: > Hi Mike, > > > > Both Shibboleth.sso/Status and Shibboleth.sso/Session indicate that the > Shibboleth SP appears to be running correctly. I can see eppn, mail and > displayname (haven’t included affiliation) in the session after > authenticating. > > > > I just can’t figure out why the $_SERVER variable does not have any > Shibboleth data even though the session is established. Because of this, > the authentication in VCL is not working. > > > > I have a .htaccess file in /var/www/html/vcl directory with the following: > > > > Authtype shibboleth > > ShibRequireSession off > > Require shibboleth > > > > So when I select the configured SSO option in the VCL login, I get > redirected to my identity provider and it gets redirected back to the /vcl > webpage but it doesn’t log in. > > > > Thanks > > > > > > *From:* Mike Jennings <gmjen...@ncsu.edu> > *Sent:* Monday, September 14, 2020 11:17 AM > *To:* user@vcl.apache.org > *Subject:* Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > *Importance:* Low > > > > Martinez, > > > > Sorry I am a little late to the game here. > > > > It has been a long time since I have worked with a Shibboleth SP. > > > > I am currently assuming that you have setup the Shibboleth SP on a Apache > HTTPS server. > > > > I am assuming that you can do the initial test correctly > > > > You can test to ensure that the SP is running properly and the surrounding > environment is correct by accessing > https://localhost/Shibboleth.sso/Status *from the actual web server > machine*. You *MUST* use "localhost" as the hostname or it WILL NOT WORK > by default. If this test is successful, then the software is ready for > further configuration. > > You can also access the Status handler from other clients or using a > non-localhost name, but *only* if you change the acl parameter in the > configuration to permit your client address or remove it entirely to open > up access to anybody. The ACL is present by default because the Status > handler can return some arguably sensitive information about your > configuration. > > > > > > You have the attribute-map.xml configured correctly. You might need to > contact the Shibboleth IdP Administrator to verify he is releasing > attributes to your sp and what values need to be modified in that file. > > > > Thanks, > > > > Mike Jennings > > > > On Fri, Sep 11, 2020 at 7:48 PM MARTINEZ, ARIEL <amarti...@hostos.cuny.edu> > wrote: > > Hi Josh, > > Thanks for this info. The problem is that there is no 'SHIB_EPPN' in the > $_SERVER array. There is no other Shibboleth related entry other than the > shib session string HTTP_COOKIE. > > Not sure how to correct this. How can the required entry be made to be > included in the array? > > Thanks > > On Sep 11, 2020 5:39 PM, Josh Thompson <josh_thomp...@ncsu.edu> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Ariel, > > Toward the top of initGlobals in utils.php, there is a small block of code > that tests conditions for each authentication method if the user is not > logged > in, and if that authentication method's test function returns true, it will > then call that authentication method's authentication function. It's the > "else" block that starts on line 176 of the 2.5.1 release. > > The shibauth.php module uses testShibAuth as the test function. All it > does > is to check for $_SERVER['SHIB_EPPN'] being set. If it is not set, it will > not attempt to authenticate the user using Shibboleth. An easy way to test > this is to temporarily put a file in the same directory as the main VCL > index.php directory that just has this in it: > > <?php > print "<pre>\n"; > print_r($_SERVER); > print "</pre>\n"; > ?> > > Don't leave the file in there beyond the testing since it can disclose > various > information about your system. > > If you aren't seeing 'SHIB_EPPN' in the $_SERVER array, you have found your > problem. If your Shibboleth configuration is using something different > than > 'SHIB_EPPN', just change what is checked in testShibAuth in shibauth.php. > > The VCL php code doesn't log anywhere other than where php errors would be > going. Look in to configuring php errors for httpd to get that set up. My > experience has been that systems generally don't log php errors anywhere by > default. > > Josh > > On Thursday, September 10, 2020 1:47:09 PM EDT MARTINEZ, ARIEL wrote: > > I have been looking further into the shibauth.php file to see what is > > supposed to happen when a shibboleth login happens. For starters, it > > creates an affiliation in the affiliation table if it does not find one > > from the attributes received from the identity provider. However it > doesn't > > seem to be executing that code. It at the very least should have > generated > > an error message when trying to automatically create an affiliation if it > > failed. > > > > Is there any way to troubleshoot shibauth.php to see what is happening? > Or > > is this particular function logged somewhere in particular? > > > > Thanks. > > > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Sunday, August 30, 2020 1:11 PM > > To: 'user@vcl.apache.org' <user@vcl.apache.org> > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > I don't know what else to really try because as far as Shibboleth is > > concerned, it appears to be working. So I went to the > > /Shibboleth.sso/Session URL after logging in and the following is > > displayed, I replaced some values that should not be public: > > > > Miscellaneous > > Session Expiration (barring inactivity): 478 minute(s) Client Address: > > (xx.xx.xx.xxx) SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Identity > > Provider: (idp entity ID) > > Authentication Time: 2020-08-30T16:54:23.787Z Authentication Context > Class: > > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > Authentication Context Decl: (none) > > > > Attributes > > affiliation: mem...@domain.com > > eppn: u...@domain.com;u...@domain.com > > upn: u...@domain.com > > > > > > Unless eppn should not have two values, as far as I can tell, the proper > > values required by VCL are present. In the VCL database affiliation > table, > > I have populated an existing VCL Affiliation that is configured to use > LDAP > > with the domain.com value under shibname. I also tried creating a new > > affiliation setting shibonly to 1 > > > > I still get the same behavior where, after selecting the Shibboleth > > authentication method and signing in at my idp, it gets redirected back > to > > the /vcl directory to choose an authentication method. > > > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Thursday, August 27, 2020 3:00 PM > > To: 'user@vcl.apache.org' <user@vcl.apache.org> > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > After login nothing is happening still. So I moved the test.php file from > > the old Shibboleth instructions to my main VCL directory and set the > > conf.php file to redirect to this file after login and the attributes are > > all undefined. > > > > Is this sufficient to say with a high level of certainty that my IDP is > not > > sending VCL what it is expecting? Or is the test.php not meant to work > that > > way? > > > > Thanks > > > > -----Original Message----- > > From: MARTINEZ, ARIEL > > Sent: Wednesday, August 26, 2020 11:14 AM > > To: user@vcl.apache.org > > Subject: RE: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > > > Hi Josh, > > > > Last question before I try again, there is no shibboleth affiliation in > my > > VCL database. So should I be creating a new affiliation for shibboleth > and > > populating the shibname field, or should I use the existing LDAP > configured > > affiliation and populate its shibname field? > > > > Thanks > > > > -----Original Message----- > > From: Josh Thompson <josh_thomp...@ncsu.edu> > > Sent: Wednesday, August 26, 2020 11:04 AM > > To: user@vcl.apache.org > > Subject: Re: [Suspected SPAM] Re: [EXTERNAL] Re: ADFS SSO Authentication > > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found on pool.sks-keyservers.net > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > > iF0EARECAB0WIQRMIdRtWXideTZDK31X8tBw1209AwUCX1vuhwAKCRBX8tBw1209 > A8DxAJ96eWpTyUnduFw9TVnbqelq8Xyt2ACfUmfmuBolOE+Agkt6ZfQVJ4HjO48= > =jMJR > -----END PGP SIGNATURE----- > > >
