[shib_auth] Access Denied after logging in
Kristof Bajnok
bajnokk at niif.hu
Sat Jan 7 17:36:45 CET 2012
Hi Chris,
this is _very_ strange, although I'm completely dense in running PHP on
top of IIS.
On 06/01/12 06:19, Chris Hunter wrote:
> My Identity provider doesn't use the the same server header as what is listed in shib_auth.module. This was a similar error to: http://drupal.org/node/626344
>
> The test.aspx dumped out all of my IdP's variables.
This one I don't understand. Debug mode in shib_auth prints all of the
elements of $_SERVER array and I should have noticed it that you don't
have the IdP entityId variable, however...
> elseif (isset ($_SERVER['HTTP_SHIBIDENTITYPROVIDER']))
> return $_SERVER['HTTP_SHIBIDENTITYPROVIDER'];
... this one is also missing from your original Debug dump.
If it is a standard Shibboleth SP installation on IIS, then it is an
important bug in shib_auth.
Could you please copy-paste the dump of $_SERVER array in PHP and also
the server variables in C#, both ? (You should probably obfuscate the
sensitive parts such as session id, etc)
> Once I did that I had an error that read:
>
> • [Shibboleth authentication] Username is missing. Please contact your site administrator!
> • [Shibboleth authentication] Shibboleth authentication process can't continue
$mistery++;
If shib_auth hadn't been able to read the username, then (I suspect) it
wouldn't have assigned you the roles. Based on your first post, it
apparently did.
> To fix this I found the variables for my user that in my test.aspx variable dump and then I updated the variables for the username and the email under ATTRIBUTE SETTINGS on admin/config/people/shib_auth.
Which were the attribute names then?
Thanks in advance for providing more info. I think the installation base
of shib_auth on IIS is rather small (probably singular, though anybody
on this list may correct me), so your experience is important for future
users.
Kristof
More information about the shib_auth
mailing list