Wordpress & Shibboleth Headers

Peter Schober peter.schober at univie.ac.at
Tue May 10 10:49:59 EDT 2016

* Mr. Christopher Bland <chris at fdu.edu> [2016-05-10 03:51]:
> Just deployed a new Wordpress v4.5.2 install with a v2.5.6 SP.  I am
> using the Shibboleth v1.7 plugin in multisite WP config.  I verified
> my SP is working. Right now I am getting an infinite loop when I try
> to login because the Shibboleth plugin doesn’t see the Shibboleth
> headers.  Based on the posts I’ve read and testing to confirm it
> seems that the shibboleth_session_active() in the plugin is looking
> for Shib-Session-ID', 'Shib_Session_ID’, or
> ‘HTTP_SHIB_IDENTITY_PROVIDER’ header variables and not finding it.
> I dumped all of the $_SERVER variables and they’re populated, just
> not the Shibboleth ones.

Terminology nit: Unless you changed your Shib config to populate HTTP
Request Headers instead of (web server) environment variables (which
you shouldn't) there won't be any headers. So those HTTP_something
headers won't appear, the others (Shib-Identity-Provider etc.) of
course should, for resources the Shib SP has been instructed to care

If you don't see the envvars set by Shib then likely the script you're
using to log/print them isn't protected by the Shib SP, not even
"passively" (as in "require shibboleth", search for Lazy Sessions in
the wiki). So that may be a fault of your testing approach or it may
well be the very reason for the loop you're seeing.

Once you see any of the envvars you'll probably notice that their
names don't match what WordPress expects. IIRC that has to do with
mod_rewrite (as used heavily by popular PHP applications) and httpd
sub-requests, possibly changing 'foo' into 'REDIRECT_foo' (or some
such). Adding Lazy Sessions to the whole server (Location /) may or
may not fix that.
There were two threads about that on June 6th and 8th 2011 (in the
context of a Drupal deployment, but same thing), but it seems the
availably archives only go back until July 2011...

> I’ve seen a few posts from people with the same issue but everyone
> seems to say it was a configuration issue, no explanation.

Gotta love that.


More information about the users mailing list