[shib_auth] Access Denied after logging in
Kristof Bajnok
bajnokk at niif.hu
Wed Jan 11 17:31:34 CET 2012
Hi Chris,
On 07/01/12 17:36, Kristof Bajnok wrote:
> On 06/01/12 06:19, Chris Hunter wrote:
>> My Identity provider doesn't use the the same server header as what is listed in shib_auth.module. This was a similar error to: http://drupal.org/node/626344
>>
>> The test.aspx dumped out all of my IdP's variables.
>
> This one I don't understand. Debug mode in shib_auth prints all of the
> elements of $_SERVER array and I should have noticed it that you don't
> have the IdP entityId variable, however...
>
>> elseif (isset ($_SERVER['HTTP_SHIBIDENTITYPROVIDER']))
>> return $_SERVER['HTTP_SHIBIDENTITYPROVIDER'];
>
> ... this one is also missing from your original Debug dump.
>
> If it is a standard Shibboleth SP installation on IIS, then it is an
> important bug in shib_auth.
Scott Cantor from the Shibboleth team pointed me towards the
safeHeaderNames option, which causes non-alphanumeric characters (such
as underscores) to be removed from the header names.
So definitely, this is a bug in shib_auth module, I'm going to file it
shortly.
However, this still doesn't explain why you didn't have
HTTP_SHIBIDENTITYPROVIDER in your original dump.
Kristof
More information about the shib_auth
mailing list