[shib_auth] Access Denied despite successful SSO Session

Eve Edelson ecedelson at lbl.gov
Mon Sep 26 20:35:30 CEST 2016 

Hello Alex,
I am comparing your shibboleth2.xml with ours.
So far I see a few differences, but I'm not sure if they are the meaningful
ones:

Yours is missing this section:

<RequestMapper type="Native">
 <RequestMap applicationId="default">
   <Host name="your domain name">
     <Path name="eta-intranet">
<Path name="installation" authType="shibboleth" requireSession="false" />
      </Path>
   </Host>
 </RequestMap>
</RequestMapper>

and this line is missing uid

<ApplicationDefaults entityID="https://your domain name/" REMOTE_USER="*uid*
eppn persistent-id targeted-id">

Also the Sessions session has some attributes that ours is actually missing.

If you want I can send you a sanitized version of what we're using.


I'll keep looking at this, but my attention is fragmented right now ;]

Could you mention how you configured the shib_auth module?
It's probably correct, I just wondered.

=====



On Sun, Sep 25, 2016 at 10:36 PM, Alexander Ivanov <alex at calmforce.com>
wrote:

> Hi everyone,
>
> I'm the lead developer for the QDR site (https://qdr.syr.edu/), which is
> running Drupal 7.  We are developing an integration with a Shibboleth IdP.
> On our Stage site I have installed and enabled shib_auth module ver
> 7.x-4.3.  In that same environment, we've set up the Shibboleth IdP and SP.
>
> I ran into some issues when I attempted to configure the Shib SP (version
> 2.5.6).  I contacted the Shibboleth mailing list, and I was informed that
> the configuration examples provided in the wiki for shib_auth module (
> https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethReadmeDev) are
> outdated.  The configuration examples for shibboleth2.xml must correspond
> to an earlier version of the Shibboleth SP.  Related Shibboleth mailing
> list thread:
> http://shibboleth.1660669.n2.nabble.com/Error-Unable-to-
> locate-a-SAML-2-0-ACS-endpoint-to-use-for-response-td7628164.html
>
> Currently our IdP and SP are functional such that when I go to the Drupal
> login page and click on Shibboleth Login link, I am taken to our IdP
> authentication page.  Once I login there, I am successfully redirected back
> to the Drupal site.  When I check the status of the SSO Session I see that
> a session is created and attribute values are passed for the
> IdP-authenticated user.  However, despite the successful SSO session, the
> auto-login into Drupal fails. I am not logged into the site, and in the
> error log I just see an *access denied* message.
>
> I am attaching our shibboleth2.xml config file.  I think that I may be
> missing something in the SP configuration.  I tried to make the best of the
> wiki example, but I think this may need to be configured a bit
> differently for Shibboleth SP version > 2.4.  Please let me know if this is
> the case.
>
> I appreciate any advice you may have for making our Shibboleth IdP
> integration work.  Thank you in advance for your help.
>
> My Best,
> Alex
>
>
> _______________________________________________
> shib_auth mailing list
> shib_auth at listserv.niif.hu
> https://listserv.niif.hu/mailman/listinfo/shib_auth
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20160926/219e45da/attachment.html>

More information about the shib_auth mailing list