Configuration of SP with apache and mod_shib - HTTP 401 error

Peter Schober peter.schober at univie.ac.at
Wed May 10 07:06:22 EDT 2017 

* Rafal Lalik <rafal.lalik at ph.tum.de> [2017-05-10 12:31]:
> * system CentOS 7
> * apache-2.4.6
> * shibboleth-2.6.0
> * indico-1.9.10 (from git)
> * mod_uwsgi-3.4
> 
> uwsgi is used to redirect django/python request to python
> interpreter. I put its config in apache for a record but IMHO it
> doesn't interfere with shibboleth.

You can always try disabling mod_(proxy_)uwsgi completely and then see
whether the SP protection kicks in when accessing /login/sso/shibboleth.

Also, did you try running Indico just with mod_wsgi, as documented in
their docs? http://indico.readthedocs.io/en/latest/installation/
I note you have mod_wsgi enabled in your websever (it's part of the
server signature), so did that work?

>   https://indico.ktas.ph.tum.de/login/sso/shibboleth
> 
> You can use this link above directly.

The relevant docs
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWontProtect
don't have too much concrete info here, it seems (probably just
meaning it's environmental). So you'd have to go to the Troubleshoot
and Debugging into in the docs, and probably turn up debug logging for
the "native" category.

> <Location /secure>
>   AuthType shibboleth
>   ShibRequestSetting requireSession 1
>   require shib-session
> </Location>

If that doesn't work (and a quick curl test confirms it does not) then
I guess something must be interfering with your config, or your
request is not landing in the vhost with those directives.

>         <LocationMatch /login/sso/shibboleth>
>                 SSLRequireSSL
>                 AuthType Shibboleth
>                 ShibRequestSetting requireSession true
>                 Require valid-user
>                 Require shibboleth
>         </LocationMatch>

Note that according to
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess#NativeSPhtaccess-RuleTypes
those last two should be "Require shib-session" (instead of
"valid-user") and "Require shibboleth" can be removed, as it's only
syntactic sugar for httpd if nothing should in fact be required (i.e.,
not your use-case).
But that shouldn't prevent the rules from working, so the above
/should/ work.

>         <IfModule mod_proxy_uwsgi.c>
>                 ProxyPass /Shibboleth.sso !
>                 ProxyPass /shibboleth-sp !
>                 ProxyPass /shibboleth !
>                 ProxyPass /secure !
>                 ProxyPass /login/sso/shibboleth !

Just wondering (and this is not really related to your error, more of
the opposite issue): If you don't proxy /login/sso/shibboleth to the
application, how would successful logins be communicated to the
application (if the request never reaches the application)?

-peter

More information about the users mailing list