[shib_auth] Fwd: drupal not creating shibboleth authenticated users

[Kristof Bajnok]

Hi Gavin,

On 15/08/12 09:00, Gavin Jackson wrote:
> Hi, I attempted to post the following question to the mailing list
> earlier today - but was rejected (I am subscribed to the mailing list).

I think you posted to the list before you confirmed your subscription.

> 
> Hi guys,
> 
> I'm trying to authenticate users against shibboleth.
> 
> I have both the email (AJP_mail) and REMOTE_USER attributes configured.
> 
> It successfully goes to my IdP login page and redirects back to drupal,
> however all I see is *"Access Denied" You are not authorised to view
> this page*. I can see both the AJP_mail and REMOTE_USER attributes is
> the $_SERVER array. 


I think the problem is that the thing that moves away the Shibboleth
attributes to AJP_foobar also modifies Shib-Identity-Provider. Are you
using ajp_proxy?

> Am I correct in thinking that the module should automatically create a
> new drupal user with the username set to REMOTE_USER and email set to
> the defined attribute (plus a random password)?

That's correct.

>   * *$_SERVER:*
> 
>     Array
>     (
>         [AJP_Shib-Application-ID] => default
>         [AJP_Shib-Session-ID] => _d8febf5a366eea57f24dbbdf2e774254
>         [AJP_Shib-Identity-Provider] => https://sso.lesmills.com.au/idp/shibboleth

This last one is the culprit. For a short-term fix, you should modify
the code around the function shib_auth_get_idp() and include
$SERVER['AJP_Shib-Identity-Provider'].

After identifying what causes the renaming of the variables, please open
an issue on drupal.org, so that I will remember. Please also provide
details on whether you use ShibUseHeaders or the safeHeaderNames option.

It would be great help if one could provide a list of apache modules
that do variable rewriting. mod_rewrite is one which does so, but it
seems it's not alone with doing this.

Kristof