Redirect loop with shibboleth SP & apache

Enrique Pérez Arnaud eperez at emergya.com
Mon May 11 05:29:29 EDT 2015 

Hi Peter,

Thank you for your comments.

2015-05-11 10:43 GMT+02:00 Peter Schober <peter.schober at univie.ac.at>:

> * Enrique Pérez Arnaud <eperez at emergya.com> [2015-05-11 09:11]:
> > ==> /var/log/apache2/keystone.log <==
> > 2015-05-08 14:04:23.190042 get_request_config created per-request
> structure
> > 2015-05-08 14:04:23.190089 AH02034: Subsequent (No.54) HTTPS request
> > received for child 80 (server ipnett-pre.emergya.es:443)
> > 2015-05-08 14:04:23.190136 AH01626: authorization result of Require
> > valid-user : denied (no authenticated user yet)
> > 2015-05-08 14:04:23.190152 AH01626: authorization result of <RequireAny>:
> > denied (no authenticated user yet)
>
> That doesn't seem to match your httpd config, which shows a listener
> only on port 5000 (the log above says ipnett-pre.emergya.es:443)?
>

I'm very sorry I accidentally attached old config files, the actual port
used is 443,
I attach now the correct ones.


>
> Looks like an ordinary httpd 2.4 authz issue (I'm still confused by
> 2.4's new authz model, so can't advise).
>
> > We attach the apache and shibboleth conf.
>
> Some more comments:
>
> What gave you the impression you'd have to set the SP's entityID to
> "https://ipnett-pre.emergya.es:5000/Shibboleth.sso" specifically?
> See https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming


We changed it to https://ipnett-pre.emergya.es/Shibboleth.sso


>
>
> Also, what gave you the impression you'd have to create an
> ApplicationOverride, creating a second virtual SP? Often this is not
> required and even if it is it requires extra SAML metadata for the
> second virtual SP given to the IDP, which you possibly have
> negleceted. Pay special attention of the page
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride
> including the section "Valid and Invalid Reasons for Additional
> Applications".
>
> More importantly, it does not make any sense to create a second
> virtualized SP and giving it the exact (weird, as per above) entityID
> as the default one. The sole purpose of being able to specify an
> entityID for the ApplicationOverride is for the entityID to be
> different. (Iff you determined that you absolutely require the use of
> an ApplicationOverride to begin with.)
>
> So I'd start by commenting out the application override in your
> shibboleth2.xml and commenting out the applicationId parameter in your
> httpd conf. Then try again, and this time also check your Shib logs
> (including native.log).
>

If we do that, when, after logging in to the IdP, the browser is redirected
to
our app (that requires shibboleth authn), we get a 404 response with body:

{"error": {"message": "Could not find Identity Provider:
https://ipnett-idp.emergya.es/idp/shibboleth", "code": 404, "title": "Not
Found"}}

I have all logs set to DEBUG, but after the 404 all I can see in the
logs is:

==> /var/log/shibboleth/shibd.log <==
2015-05-11 11:26:08 DEBUG Shibboleth.Listener [1]: dispatching message
(find::StorageService::SessionCache)
2015-05-11 11:26:08 DEBUG XMLTooling.StorageService [1]: updated expiration
of valid records in context (_a293efad92edbda84c8dd5d13ffe2209) to
(1431339968)
2015-05-11 11:26:08 DEBUG Shibboleth.Listener [1]: dispatching message
(touch::StorageService::SessionCache)
2015-05-11 11:26:08 DEBUG XMLTooling.StorageService [1]: updated expiration
of valid records in context (_a293efad92edbda84c8dd5d13ffe2209) to
(1431339968)


-- 
Enrique Pérez Arnaud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/961189b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keystone.conf
Type: application/octet-stream
Size: 1273 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/961189b3/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shibboleth2.xml
Type: text/xml
Size: 7157 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/961189b3/attachment.xml>

More information about the users mailing list