Configuration of SP with apache and mod_shib - HTTP 401 error

Rafal Lalik rafal.lalik at
Wed May 10 07:45:01 EDT 2017

Dear Peter,

the problem was solved by this issue:

But I will comment to your points below.

> You can always try disabling mod_(proxy_)uwsgi completely and then see
> whether the SP protection kicks in when accessing /login/sso/shibboleth.
> Also, did you try running Indico just with mod_wsgi, as documented in
> their docs?
> I note you have mod_wsgi enabled in your websever (it's part of the
> server signature), so did that work?

So this point is not relevant any more. But I am using uwsgi as it is 
better way of calling django applications. And it works successfully for me.

>>          <LocationMatch /login/sso/shibboleth>
>>                  SSLRequireSSL
>>                  AuthType Shibboleth
>>                  ShibRequestSetting requireSession true
>>                  Require valid-user
>>                  Require shibboleth
>>          </LocationMatch>
> Note that according to
> those last two should be "Require shib-session" (instead of
> "valid-user") and "Require shibboleth" can be removed, as it's only
> syntactic sugar for httpd if nothing should in fact be required (i.e.,
> not your use-case).
> But that shouldn't prevent the rules from working, so the above
> /should/ work.

Currently, I just only Require shib-session, which looks as is working, 
but I cannot yet make full authentication for indico since, I guess, I 
ma receiving incomplete data from my IdP. But this I will verify when I 
run final production service with IdP.

>>          <IfModule mod_proxy_uwsgi.c>
>>                  ProxyPass /Shibboleth.sso !
>>                  ProxyPass /shibboleth-sp !
>>                  ProxyPass /shibboleth !
>>                  ProxyPass /secure !
>>                  ProxyPass /login/sso/shibboleth !
> Just wondering (and this is not really related to your error, more of
> the opposite issue): If you don't proxy /login/sso/shibboleth to the
> application, how would successful logins be communicated to the
> application (if the request never reaches the application)?

True, the "ProxyPass /login/sso/shibboleth !" line must be removed to 
make it fully working.

Thanks and regards,

Dr. Rafal Lalik

Technische Universität München
Fakultät für Physik, E62
James-Franck-Str. 1
85748 Garching

Room   :  2152
E-mail :  Rafal.Lalik at
Tel    :  (+49) 089 289 12488

More information about the users mailing list