[shib_auth] Access Denied despite successful SSO Session

[Alexander Ivanov]

Hi Eve,

Thank you for your response.  Yes, if you could, please send me a sanitized
version of your shibboleth2.xml

I've tried making the couple config changes that you've mentioned, but I
keep seeing the same *access denied* message in the error log.

*Module configuration*
*Shibboleth login handler URL:*
https://stage.qdr.org/Shibboleth.sso/Login
*Shibboleth logout handler URL:*
https://stage.qdr.org/Shibboleth.sso/Logout

All other settings are default.

Thanks,
Alex


On Mon, Sep 26, 2016 at 2:35 PM, Eve Edelson <ecedelson at lbl.gov> wrote:

> Hello Alex,
> I am comparing your shibboleth2.xml with ours.
> So far I see a few differences, but I'm not sure if they are the
> meaningful ones:
>
> Yours is missing this section:
>
> <RequestMapper type="Native">
>  <RequestMap applicationId="default">
>    <Host name="your domain name">
>      <Path name="eta-intranet">
> <Path name="installation" authType="shibboleth" requireSession="false" />
>       </Path>
>    </Host>
>  </RequestMap>
> </RequestMapper>
>
> and this line is missing uid
>
> <ApplicationDefaults entityID="https://your domain name/" REMOTE_USER="
> *uid* eppn persistent-id targeted-id">
>
> Also the Sessions session has some attributes that ours is actually
> missing.
>
> If you want I can send you a sanitized version of what we're using.
>
>
> I'll keep looking at this, but my attention is fragmented right now ;]
>
> Could you mention how you configured the shib_auth module?
> It's probably correct, I just wondered.
>
> =====
>
>
>
> On Sun, Sep 25, 2016 at 10:36 PM, Alexander Ivanov <alex at calmforce.com>
> wrote:
>
>> Hi everyone,
>>
>> I'm the lead developer for the QDR site (https://qdr.syr.edu/), which is
>> running Drupal 7.  We are developing an integration with a Shibboleth IdP.
>> On our Stage site I have installed and enabled shib_auth module ver
>> 7.x-4.3.  In that same environment, we've set up the Shibboleth IdP and SP.
>>
>> I ran into some issues when I attempted to configure the Shib SP (version
>> 2.5.6).  I contacted the Shibboleth mailing list, and I was informed that
>> the configuration examples provided in the wiki for shib_auth module (
>> https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethReadmeDev) are
>> outdated.  The configuration examples for shibboleth2.xml must correspond
>> to an earlier version of the Shibboleth SP.  Related Shibboleth mailing
>> list thread:
>> http://shibboleth.1660669.n2.nabble.com/Error-Unable-to-loca
>> te-a-SAML-2-0-ACS-endpoint-to-use-for-response-td7628164.html
>>
>> Currently our IdP and SP are functional such that when I go to the Drupal
>> login page and click on Shibboleth Login link, I am taken to our IdP
>> authentication page.  Once I login there, I am successfully redirected back
>> to the Drupal site.  When I check the status of the SSO Session I see that
>> a session is created and attribute values are passed for the
>> IdP-authenticated user.  However, despite the successful SSO session, the
>> auto-login into Drupal fails. I am not logged into the site, and in the
>> error log I just see an *access denied* message.
>>
>> I am attaching our shibboleth2.xml config file.  I think that I may be
>> missing something in the SP configuration.  I tried to make the best of the
>> wiki example, but I think this may need to be configured a bit
>> differently for Shibboleth SP version > 2.4.  Please let me know if this is
>> the case.
>>
>> I appreciate any advice you may have for making our Shibboleth IdP
>> integration work.  Thank you in advance for your help.
>>
>> My Best,
>> Alex
>>
>>
>> _______________________________________________
>> shib_auth mailing list
>> shib_auth at listserv.niif.hu
>> https://listserv.niif.hu/mailman/listinfo/shib_auth
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20160927/ca272e26/attachment.html>