[shib_auth] Access Denied despite successful SSO Session

Alexander Ivanov alex at calmforce.com
Tue Sep 27 07:51:13 CEST 2016 

I'm sorry, Here is the full module configuration:

MODULE CONFIGURATION:

Array
(
    [account_linking] => 0
    [account_linking_text] => Link this account with another identity
    [auto_destroy_session] =>
    [debug_state] => 1
    [debug_url] =>
    [define_username] => 0
    [email_variable] => HTTP_SHIB_MAIL
    [enable_custom_mail] => 0
    [force_https] => 0
    [forceauthn] =>
    [full_handler_url] => https://stage.qdr.org/Shibboleth.sso/Login
    [full_logout_url] => https://stage.qdr.org/Shibboleth.sso/Logout
    [handler_protocol] => https
    [handler_url] => /Shibboleth.sso
    [is_passive] =>
    [link_text] => Shibboleth Login
    [login_url] =>
    [logout_url] => /
    [terms_accept] =>
    [terms_url] => /
    [terms_ver] =>
    [username_variable] => REMOTE_USER
    [wayf_uri] => /DS
)

On Tue, Sep 27, 2016 at 1:50 AM, Alexander Ivanov <alex at calmforce.com>
wrote:

> I can see that the module is attempting to find the email and uid
> variables in the $_SERVER array, but the attributes from the SSO do not
> show up there.  I don't know what is configured wrong!
>
> Here is the full module configuration:
>
> On Tue, Sep 27, 2016 at 12:58 AM, Alexander Ivanov <alex at calmforce.com>
> wrote:
>
>> Hi Eve,
>>
>> Thank you for your response.  Yes, if you could, please send me a
>> sanitized version of your shibboleth2.xml
>>
>> I've tried making the couple config changes that you've mentioned, but I
>> keep seeing the same *access denied* message in the error log.
>>
>> *Module configuration*
>> *Shibboleth login handler URL:*
>> https://stage.qdr.org/Shibboleth.sso/Login
>> *Shibboleth logout handler URL:*
>> https://stage.qdr.org/Shibboleth.sso/Logout
>>
>> All other settings are default.
>>
>> Thanks,
>> Alex
>>
>>
>> On Mon, Sep 26, 2016 at 2:35 PM, Eve Edelson <ecedelson at lbl.gov> wrote:
>>
>>> Hello Alex,
>>> I am comparing your shibboleth2.xml with ours.
>>> So far I see a few differences, but I'm not sure if they are the
>>> meaningful ones:
>>>
>>> Yours is missing this section:
>>>
>>> <RequestMapper type="Native">
>>>  <RequestMap applicationId="default">
>>>    <Host name="your domain name">
>>>      <Path name="eta-intranet">
>>> <Path name="installation" authType="shibboleth" requireSession="false" />
>>>       </Path>
>>>    </Host>
>>>  </RequestMap>
>>> </RequestMapper>
>>>
>>> and this line is missing uid
>>>
>>> <ApplicationDefaults entityID="https://your domain name/" REMOTE_USER="
>>> *uid* eppn persistent-id targeted-id">
>>>
>>> Also the Sessions session has some attributes that ours is actually
>>> missing.
>>>
>>> If you want I can send you a sanitized version of what we're using.
>>>
>>>
>>> I'll keep looking at this, but my attention is fragmented right now ;]
>>>
>>> Could you mention how you configured the shib_auth module?
>>> It's probably correct, I just wondered.
>>>
>>> =====
>>>
>>>
>>>
>>> On Sun, Sep 25, 2016 at 10:36 PM, Alexander Ivanov <alex at calmforce.com>
>>> wrote:
>>>
>>>> Hi everyone,
>>>>
>>>> I'm the lead developer for the QDR site (https://qdr.syr.edu/), which
>>>> is running Drupal 7.  We are developing an integration with a Shibboleth
>>>> IdP.  On our Stage site I have installed and enabled shib_auth module ver
>>>> 7.x-4.3.  In that same environment, we've set up the Shibboleth IdP and SP.
>>>>
>>>> I ran into some issues when I attempted to configure the Shib SP
>>>> (version 2.5.6).  I contacted the Shibboleth mailing list, and I was
>>>> informed that the configuration examples provided in the wiki for shib_auth
>>>> module (https://wiki.aai.niif.hu/index.php?title=DrupalShibbolethRe
>>>> admeDev) are outdated.  The configuration examples for shibboleth2.xml
>>>> must correspond to an earlier version of the Shibboleth SP.  Related
>>>> Shibboleth mailing list thread:
>>>> http://shibboleth.1660669.n2.nabble.com/Error-Unable-to-loca
>>>> te-a-SAML-2-0-ACS-endpoint-to-use-for-response-td7628164.html
>>>>
>>>> Currently our IdP and SP are functional such that when I go to the
>>>> Drupal login page and click on Shibboleth Login link, I am taken to our IdP
>>>> authentication page.  Once I login there, I am successfully redirected back
>>>> to the Drupal site.  When I check the status of the SSO Session I see that
>>>> a session is created and attribute values are passed for the
>>>> IdP-authenticated user.  However, despite the successful SSO session, the
>>>> auto-login into Drupal fails. I am not logged into the site, and in the
>>>> error log I just see an *access denied* message.
>>>>
>>>> I am attaching our shibboleth2.xml config file.  I think that I may be
>>>> missing something in the SP configuration.  I tried to make the best of the
>>>> wiki example, but I think this may need to be configured a bit
>>>> differently for Shibboleth SP version > 2.4.  Please let me know if this is
>>>> the case.
>>>>
>>>> I appreciate any advice you may have for making our Shibboleth IdP
>>>> integration work.  Thank you in advance for your help.
>>>>
>>>> My Best,
>>>> Alex
>>>>
>>>>
>>>> _______________________________________________
>>>> shib_auth mailing list
>>>> shib_auth at listserv.niif.hu
>>>> https://listserv.niif.hu/mailman/listinfo/shib_auth
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20160927/c9e5ac10/attachment.html>

More information about the shib_auth mailing list