Configuration of SP with apache and mod_shib - HTTP 401 error
rafal.lalik at ph.tum.de
Wed May 10 07:45:01 EDT 2017
the problem was solved by this issue:
But I will comment to your points below.
> You can always try disabling mod_(proxy_)uwsgi completely and then see
> whether the SP protection kicks in when accessing /login/sso/shibboleth.
> Also, did you try running Indico just with mod_wsgi, as documented in
> their docs? http://indico.readthedocs.io/en/latest/installation/
> I note you have mod_wsgi enabled in your websever (it's part of the
> server signature), so did that work?
So this point is not relevant any more. But I am using uwsgi as it is
better way of calling django applications. And it works successfully for me.
>> <LocationMatch /login/sso/shibboleth>
>> AuthType Shibboleth
>> ShibRequestSetting requireSession true
>> Require valid-user
>> Require shibboleth
> Note that according to
> those last two should be "Require shib-session" (instead of
> "valid-user") and "Require shibboleth" can be removed, as it's only
> syntactic sugar for httpd if nothing should in fact be required (i.e.,
> not your use-case).
> But that shouldn't prevent the rules from working, so the above
> /should/ work.
Currently, I just only Require shib-session, which looks as is working,
but I cannot yet make full authentication for indico since, I guess, I
ma receiving incomplete data from my IdP. But this I will verify when I
run final production service with IdP.
>> <IfModule mod_proxy_uwsgi.c>
>> ProxyPass /Shibboleth.sso !
>> ProxyPass /shibboleth-sp !
>> ProxyPass /shibboleth !
>> ProxyPass /secure !
>> ProxyPass /login/sso/shibboleth !
> Just wondering (and this is not really related to your error, more of
> the opposite issue): If you don't proxy /login/sso/shibboleth to the
> application, how would successful logins be communicated to the
> application (if the request never reaches the application)?
True, the "ProxyPass /login/sso/shibboleth !" line must be removed to
make it fully working.
Thanks and regards,
Dr. Rafal Lalik
Technische Universität München
Fakultät für Physik, E62
Room : 2152
E-mail : Rafal.Lalik at ph.tum.de
Tel : (+49) 089 289 12488
More information about the users