[shib_auth] Fwd: drupal not creating shibboleth authenticated users

Gavin Jackson gavinj at lesmills.com.au
Thu Aug 16 01:24:32 CEST 2012 

Thanks Kristof,

That worked perfectly, yeah I'm using mod_ajp to proxy through to tomcat. For the request attributes to be available (without using request headers) the shibboleth sp prefix needs to be set to AJP_ (this is defined in shibboleth2.xml).

I'll raise an enhancement request to provide a prefix configuration option for shib_auth.

Thanks again for your quick and thorough response, much appreciated.

Cheers,
Gav

On 15/08/2012, at 11:58 PM, Kristof Bajnok <bajnokk at niif.hu> wrote:

> Hi Gavin,
> 
> On 15/08/12 09:00, Gavin Jackson wrote:
>> Hi, I attempted to post the following question to the mailing list
>> earlier today - but was rejected (I am subscribed to the mailing list).
> 
> I think you posted to the list before you confirmed your subscription.
> 
>> 
>> Hi guys,
>> 
>> I'm trying to authenticate users against shibboleth.
>> 
>> I have both the email (AJP_mail) and REMOTE_USER attributes configured.
>> 
>> It successfully goes to my IdP login page and redirects back to drupal,
>> however all I see is *"Access Denied" You are not authorised to view
>> this page*. I can see both the AJP_mail and REMOTE_USER attributes is
>> the $_SERVER array. 
> 
> 
> I think the problem is that the thing that moves away the Shibboleth
> attributes to AJP_foobar also modifies Shib-Identity-Provider. Are you
> using ajp_proxy?
> 
>> Am I correct in thinking that the module should automatically create a
>> new drupal user with the username set to REMOTE_USER and email set to
>> the defined attribute (plus a random password)?
> 
> That's correct.
> 
>>  * *$_SERVER:*
>> 
>>    Array
>>    (
>>        [AJP_Shib-Application-ID] => default
>>        [AJP_Shib-Session-ID] => _d8febf5a366eea57f24dbbdf2e774254
>>        [AJP_Shib-Identity-Provider] => https://sso.lesmills.com.au/idp/shibboleth
> 
> This last one is the culprit. For a short-term fix, you should modify
> the code around the function shib_auth_get_idp() and include
> $SERVER['AJP_Shib-Identity-Provider'].
> 
> After identifying what causes the renaming of the variables, please open
> an issue on drupal.org, so that I will remember. Please also provide
> details on whether you use ShibUseHeaders or the safeHeaderNames option.
> 
> It would be great help if one could provide a list of apache modules
> that do variable rewriting. mod_rewrite is one which does so, but it
> seems it's not alone with doing this.
> 
> Kristof
> 
> _______________________________________________
> shib_auth mailing list
> shib_auth at listserv.niif.hu
> https://listserv.niif.hu/mailman/listinfo/shib_auth

More information about the shib_auth mailing list