Al,

There are a variety of things to check.

First, in .ht-inc/conf.php, make sure that you have an affiliation configured 
under $authMechs

This might look something like this:

$authMechs = array(
        "Institution Name" => array("type" => "redirect",
                                                        "affiliationid" => 0,
                                                        "URL" => 
"/Shibboleth.sso/Login?target=%2Fshibauth"
        )
);

Depending on how your SP is set up, you may or may not need additional 
information in the URL section of the configuration. For instance, you may want 
to extend the URI to include an entityID parameter that points to your IdP.

Next, you will need to verify that the /shibauth directory is configured to 
perform Shibboleth authentication. In the /shibauth/index.php file you may want 
to add something like this (at the top of the file) for verification:

foreach( array( "eppn", "sn", "givenName", "displayName") as $attr){
        error_log("DEBUG $attr: " . $_SERVER[$attr]);
}

Next, the users are added to the database with the updateShibUser function 
(called in the /shibauth/index.php file). You should check that this method is 
really being called.

Finally, users are added to groups with the updateShibGroups function. By 
default, users are added to groups based on the value of 
$_SERVER['affiliation']. These groups tend to be prefixed with "shib-" and 
don't appear in the web UI. If you take a look at the 
.ht-inc/authmethods/shibauth.php file, you will see sample code in the 
updateShibGroups that has been commented out. If you wish to add everyone to an 
"all users" group, I would recommend using some similar code. You will just 
need to make sure that the group name you specify there is configured in the 
Privilege tree to have access to a certain image group.

Aaron




--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
(413) 542-5451 acob...@amherst.edu





On Feb 23, 2012, at 3:56 PM, Evelio Quiros wrote:

> Ok, we see two affiliations in the database, Local & Global. Both were set
> to 0. We are using Shibboleth without LDAP, since Shib uses LDAP in it's
> back end authentication. We set the Global shibonly field to 1 and tried
> it. It still behaves the same, no new users are entered in the database.
> 
> Thanks,
> Al Quiros
> Florida International University
> 
> 
> 
> 
> 
> On 2/23/12 3:08 PM, "Josh Thompson" <josh_thomp...@ncsu.edu> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Al,
>> 
>> Are you using Shibboleth by itself or in conjunction with LDAP?  If not
>> with 
>> LDAP, do you have affiliation.shibonly set to 1 for any affiliations
>> logging 
>> in with Shibboleth?
>> 
>> Josh
>> 
>> On Thursday 23 February 2012 7:06:40 PM Evelio Quiros wrote:
>>> Hello,
>>> 
>>> We are trying to configure Shibboleth for VCL. We have gotten to the
>>> point
>>> where a user is able to log in successfully, so the $_SERVER values are
>>> ok,
>>> but it does not add the new user into the database. Doing a search for
>>> that
>>> username shows nothing, even though we were able to login successfully.
>>> Consequently, the logged in user has no privileges, and cannot make
>>> reservations. Any ideas on what we may be missing ?
>>> 
>>> Thanks,
>>> Al Quiros
>>> Florida International University
>> - -- 
>> - -------------------------------
>> Josh Thompson
>> VCL Developer
>> North Carolina State University
>> 
>> my GPG/PGP key can be found at pgp.mit.edu
>> 
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (GNU/Linux)
>> 
>> iEYEARECAAYFAk9GnL0ACgkQV/LQcNdtPQNvqACfeE54okUDqMmymEFZoA99MyS2
>> MfoAnjmhgE6Q3ZYUi9OVZZat1/U/8gmd
>> =O91X
>> -----END PGP SIGNATURE-----
>> 
> 

Reply via email to