[shib_auth] Linking with arguments

Kristof Bajnok bajnokk at niif.hu
Fri Apr 8 14:47:51 CEST 2011 

On Friday 08 April 2011 11:46:15 Markus Broman wrote:
> First of all, thanks for all your help with my arguments -problem.

You're welcome.

For others on the list: this thread is about http://drupal.org/node/1107746

> I have tried both of the solutions and if I enable passive authentication
> with the dev-f-genurl, linking works perfect and I get redirected to the
> page I'm heading for. This is the case if I'm already authenticated with
> shibboleth elsewhere.
> 
> If I'm not authenticated and go to the link I get some kind of error:
> 
> opensaml::FatalProfileException at
> (https://example.com/Shibboleth.sso/SAML2/POST) SAML response contained an
> error.
> Error from identity provider:
> Status: urn:oasis:names:tc:SAML:2.0:status:Responder
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:NoPassive

That's the case when you don't configure redirectErrors in Shibboleth SP config 
in the RequestMap. See [1] , or Shibboleth wiki links at [2]  and [3]

> On the other hand, if I don't use passive authentication and instead use
> the redirect snippet Shafter posted earlier, it seems to work in both
> cases! When I'm authenticated elsewhere and when I'm not. So thank you
> very much for that!
> 
> Maybe there could be an option in Shibboleth authentication to insert this
> code or something like it into the page.tpl?

No, it's not general enough. And there are two more general ways to solve this 
particular problem:
 - isPassive: when you want to login all users who are already authenticated 
at their IdP-s
 - required Shibboleth session> when you want to login all users before they 
do any action on your site.

What would qualify as a feature request, is a possibility to provide a list of 
nodes where the login redirect is forced. On the other hand, it's possible to 
map the nodes to web server paths, thus requireSession can be defined in the 
RequestMap in Shibboleth SP config, so you can get this functionality. A GUI 
would be more fancy, no doubt.

> Will the dev-f-genurl changes be committed to a maintained version of
> Shibboleth authentication any time soon or do you think it's safe to use
> this version on a production site?

Yep, I've just committed it to the head branch.

Kristof

[1]https://wiki.aai.niif.hu/index.php/DrupalShibbolethReadmeDev#isPassive
[2]https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings
[3]https://wiki.shibboleth.net/confluence/display/SHIB2/isPassive

More information about the shib_auth mailing list