[shib_auth] unauthorized user geting authenticated

[Kristof Bajnok]

Hi Cesar,

[please keep replies on the list]

On 2014-11-13 20:19, cesar ceballos wrote:
>>> How do you block the users? 
> In my site I use shibboleth authentication with the following settings:
> Shibboleth login handler URL: https://mysite.com/Shibboleth.sso/ADFS
> Server variable for username:ADFS_LOGIN
> Server variable for e-mail address:ADFS_EMAIL
> I have Shibboleth Group Rules that grant user roles according to the
> ADFS_GROUP attribute of a user trying to log in through the SSO. In that
> way, If the user's ADFS_GROUP does not match to any of those in
> the Shibboleth Group Rules the authentication is refused.

But you didn't explain, what authorises the user. (Not the
authentication, the user is already authenticated at the time you are
able to process its attributes.)

>>>What is the exact message that you receive
>>>when you log in with an unauthorized user?
> Authorization Failed.
> Based on the information provided to this application about you, you are
> not authorized to access the resource at
> https://mysite.com <https://mysite.com/>
> Please contact the administrator of this service or application if you
> believe this to be an error

This message is shown by the Shibboleth SP webserver module, not the
Drupal shib_auth module. So you authorise based on an attribute, not on
a Drupal role.

> And form there if the user changes to http it access the site and is
>  authenticated. In the Drupal's Recent Log entries I get: New external
> user: /xyz/ using module /shib_auth/.

My guess would be that you have configured authorisation in Shibboleth
SP, and the request path is different for http and https. For example
you have a VirtualHost definition for https with the authorisation
settings enabled, and another VirtualHost for http that has loose
authorisation settings (such as "Require shibboleth").

Kristof