[shib_auth] Access Denied despite successful SSO Session

Alexander Ivanov alex at calmforce.com
Tue Sep 27 07:50:40 CEST 2016 

I can see that the module is attempting to find the email and uid variables
in the $_SERVER array, but the attributes from the SSO do not show up
there.  I don't know what is configured wrong!

Here is the full module configuration:

On Tue, Sep 27, 2016 at 12:58 AM, Alexander Ivanov <alex at calmforce.com>
wrote:

> Hi Eve,
>
> Thank you for your response.  Yes, if you could, please send me a
> sanitized version of your shibboleth2.xml
>
> I've tried making the couple config changes that you've mentioned, but I
> keep seeing the same *access denied* message in the error log.
>
> *Module configuration*
> *Shibboleth login handler URL:*
> https://stage.qdr.org/Shibboleth.sso/Login
> *Shibboleth logout handler URL:*
> https://stage.qdr.org/Shibboleth.sso/Logout
>
> All other settings are default.
>
> Thanks,
> Alex
>
>
> On Mon, Sep 26, 2016 at 2:35 PM, Eve Edelson <ecedelson at lbl.gov> wrote:
>
>> Hello Alex,
>> I am comparing your shibboleth2.xml with ours.
>> So far I see a few differences, but I'm not sure if they are the
>> meaningful ones:
>>
>> Yours is missing this section:
>>
>> <RequestMapper type="Native">
>>  <RequestMap applicationId="default">
>>    <Host name="your domain name">
>>      <Path name="eta-intranet">
>> <Path name="installation" authType="shibboleth" requireSession="false" />
>>       </Path>
>>    </Host>
>>  </RequestMap>
>> </RequestMapper>
>>
>> and this line is missing uid
>>
>> <ApplicationDefaults entityID="https://your domain name/" REMOTE_USER="
>> *uid* eppn persistent-id targeted-id">
>>
>> Also the Sessions session has some attributes that ours is actually
>> missing.
>>
>> If you want I can send you a sanitized version of what we're using.
>>
>>
>> I'll keep looking at this, but my attention is fragmented right now ;]
>>
>> Could you mention how you configured the shib_auth module?
>> It's probably correct, I just wondered.
>>
>> =====
>>
>>
>>
>> On Sun, Sep 25, 2016 at 10:36 PM, Alexander Ivanov <alex at calmforce.com>
>> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm the lead developer for the QDR site (https://qdr.syr.edu/), which
>>> is running Drupal 7.  We are developing an integration with a Shibboleth
>>> IdP.  On our Stage site I have installed and enabled shib_auth module ver
>>> 7.x-4.3.  In that same environment, we've set up the Shibboleth IdP and SP.
>>>
>>> I ran into some issues when I attempted to configure the Shib SP
>>> (version 2.5.6).  I contacted the Shibboleth mailing list, and I was
>>> informed that the configuration examples provided in the wiki for shib_auth
>>> module (https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethRe
>>> admeDev) are outdated.  The configuration examples for shibboleth2.xml
>>> must correspond to an earlier version of the Shibboleth SP.  Related
>>> Shibboleth mailing list thread:
>>> http://shibboleth.1660669.n2.nabble.com/Error-Unable-to-loca
>>> te-a-SAML-2-0-ACS-endpoint-to-use-for-response-td7628164.html
>>>
>>> Currently our IdP and SP are functional such that when I go to the
>>> Drupal login page and click on Shibboleth Login link, I am taken to our IdP
>>> authentication page.  Once I login there, I am successfully redirected back
>>> to the Drupal site.  When I check the status of the SSO Session I see that
>>> a session is created and attribute values are passed for the
>>> IdP-authenticated user.  However, despite the successful SSO session, the
>>> auto-login into Drupal fails. I am not logged into the site, and in the
>>> error log I just see an *access denied* message.
>>>
>>> I am attaching our shibboleth2.xml config file.  I think that I may be
>>> missing something in the SP configuration.  I tried to make the best of the
>>> wiki example, but I think this may need to be configured a bit
>>> differently for Shibboleth SP version > 2.4.  Please let me know if this is
>>> the case.
>>>
>>> I appreciate any advice you may have for making our Shibboleth IdP
>>> integration work.  Thank you in advance for your help.
>>>
>>> My Best,
>>> Alex
>>>
>>>
>>> _______________________________________________
>>> shib_auth mailing list
>>> shib_auth at listserv.niif.hu
>>> https://listserv.niif.hu/mailman/listinfo/shib_auth
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20160927/0774aeb4/attachment-0001.html>

More information about the shib_auth mailing list