Configuration of SP with apache and mod_shib - HTTP 401 error
Takeshi NISHIMURA
takeshi at nii.ac.jp
Wed May 10 07:22:56 EDT 2017
Hi Rafal,
Someone had similar issue in:
https://issues.shibboleth.net/jira/browse/SSPCPP-628
I hope you could try moving the LoadModule line into /etc/httpd/conf.modules.d/ directory.
Best regards,
Takeshi
On 2017/05/10 19:30, Rafal Lalik wrote:
> Hello,
>
> I have a problem with deploying shibboleth SP for using it with indico. The problem is, I think, related rather to apache authentication not to indico itself.
>
> Idea of the system is following: in indico you can login via local account or via shibboleth. In the latter, you are redirected to the directory, which is protected by shibboleth, which should handle the authentication. But in my case, I am always receiving HTTP 401 error:
>
>
> Unauthorized
>
> This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
>
>
>
>
> The authentication works if I directly call /Shibboleth.sso/Login and I can see session details after opening /Shibboleth.sso/Session or /Status
>
> First, configuration of my system:
>
> * system CentOS 7
> * apache-2.4.6
> * shibboleth-2.6.0
> * indico-1.9.10 (from git)
> * mod_uwsgi-3.4
>
> uwsgi is used to redirect django/python request to python interpreter. I put its config in apache for a record but IMHO it doesn't interfere with shibboleth.
>
> shibboleth.xml is configured according to: https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/
>
> for test configuration, the SP is registered. The apache configuration is different (and presented below) due to different version of apache and shibboleth used in my system.
>
>
> For the test you can do following:
>
> Visit:
>
> https://indico.ktas.ph.tum.de/login/
>
> Click "Login with Shibboleth" which refers to
>
> https://indico.ktas.ph.tum.de/login/sso/
>
> which internally redirects to
>
> https://indico.ktas.ph.tum.de/login/sso/shibboleth
>
> You can use this link above directly.
>
> This should be now handled by apache and shibboleth, which should go to DFN auth page according to the configuration but the results is 401.
>
> shib.conf provides also example location at /secure:
>
> https://indico.ktas.ph.tum.de/secure
>
> which also should be handled by shibboleth but also doesn't works.
>
>
> Calling directly shibboleth:
>
> https://indico.ktas.ph.tum.de/Shibboleth.sso/Login
>
> works.
>
>
>
> Here is the apache configuration (comments are stripped), and lower there is shibboleth.xml:
>
> # shib.conf <<< EOF
> LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
> ShibCompatValidUser On
>
> <Location /Shibboleth.sso>
> SetHandler shib
> AuthType None
> Require all granted
> </Location>
>
> <IfModule mod_alias.c>
> <Location /shibboleth-sp>
> AuthType None
> Require all granted
> </Location>
> Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
> </IfModule>
>
> <Location /secure>
> AuthType shibboleth
> ShibRequestSetting requireSession 1
> require shib-session
> </Location>
>
> EOF
>
> # indico.conf <<< EOF
> AddDefaultCharset UTF-8
>
> <VirtualHost *:80>
> ServerName indico.ktas.ph.tum.de
> ServerAlias indico
> UseCanonicalName On
>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName indico.ktas.ph.tum.de
> ServerAlias indico
> LogLevel warn
>
> Alias /indico/images "/var/www/python/indico/htdocs/images"
> Alias /indico/css "/var/www/python/indico/htdocs/css"
> Alias /indico/js "/var/www/python/indico/htdocs/js"
> Alias /indico/ihelp "/var/www/python/indico/htdocs/ihelp"
>
> # Aliases for resources used in Shibboleth error templates.
> <IfModule mod_alias.c>
> <Location /shibboleth-sp>
> Satisfy Any
> Allow from all
> </Location>
> Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
> Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
> </IfModule>
>
> <LocationMatch /login/sso/shibboleth>
> SSLRequireSSL
> AuthType Shibboleth
> ShibRequestSetting requireSession true
> Require valid-user
> Require shibboleth
> </LocationMatch>
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/indico-cert.pem
> SSLCertificateKeyFile /etc/ssl/certs/indico-privkey.pem
>
> Redirect seeother /shibboleth https://indico.ktas.ph.tum.de/Shibboleth.sso/Metadata
>
> SetHandler uwsgi-handler
> <IfModule mod_proxy_uwsgi.c>
> ProxyPass /Shibboleth.sso !
> ProxyPass /shibboleth-sp !
> ProxyPass /shibboleth !
> ProxyPass /secure !
> ProxyPass /login/sso/shibboleth !
>
> ProxyPass / uwsgi://localhost:3034/
> ProxyPassReverse / uwsgi://localhost:3034/
> RequestHeader set X-SCRIPT-NAME /
> RequestHeader set X-SCHEME http
> </IfModule>
> </VirtualHost>
>
> EOF
>
>
> For shibboleth.xml <<< EOF
>
>
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> clockSkew="180">
>
> <ApplicationDefaults
> entityID="https://indico.ktas.ph.tum.de/shibboleth"
> REMOTE_USER="eppn persistent-id targeted-id">
>
> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
> checkAddress="false" consistentAddress="true"
> handlerSSL="true" cookieProps="https">
>
> <SSO discoveryProtocol="SAMLDS"
> discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">
> SAML2
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator" Location="/Metadata"
> signing="false"/>
>
> <Handler type="Status" Location="/Status"
> acl="127.0.0.1"/>
>
> <Handler type="Session" Location="/Session"
> showAttributeValues="true"/>
>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost"
> helpLocation="/about.html"
> styleSheet="/shibboleth-sp/main.css"/>
>
> <MetadataProvider type="Chaining">
> <MetadataProvider type="XML" validate="true"
> uri="http://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml"
> backingFilePath="DFN-AAI-Test-metadata.xml"
> reloadInterval="7200">
> <MetadataFilter type="RequireValidUntil"
> maxValidityInterval="2419200"/>
> <MetadataFilter type="Signature"
> certificate="/etc/shibboleth/dfn-aai.pem"/>
> </MetadataProvider>
> </MetadataProvider>
>
> <AttributeExtractor type="XML" validate="true"
> reloadChanges="false" path="attribute-map.xml"/>
>
> <AttributeResolver type="Query" subjectMatch="true"/>
>
> <AttributeFilter type="XML" validate="true"
> path="attribute-policy.xml"/>
>
> <CredentialResolver type="File"
> key="/etc/shibboleth/sp-key.pem"
> certificate="/etc/shibboleth/sp-cert.pem"/>
>
> </ApplicationDefaults>
> <SecurityPolicyProvider type="XML" validate="true"
> path="security-policy.xml"/>
>
> <ProtocolProvider type="XML" validate="true" reloadChanges="false"
> path="protocols.xml"/>
> </SPConfig>
>
> EOF
>
>
> I hope you can help me, I think I used all my skills, knowledge and web resources to solve this. Probably I do some simple and stupid mistake in the apache config, but I can't find it by myself. To defend myself I must admit that variety of config options of different apache and shibboleth version is really confusing.
>
> Regards,
> Rafal
More information about the users
mailing list