Configuring Apache 2.4 with Shibboleth SP 3.0.4

Christopher J. Hinkle chinkle at netlinkrg.com
Wed Mar 25 22:22:21 EDT 2020 

It's MOSTLY working.  But mostly isn't good enough, and I need some advice.

 

Environment: Ubuntu 18.04.5 kernel 4.15.0-1063-aws / Apache 2.4.41 with PHP
7.2.28 / Shibboleth SP 3.0.4 (via libapache2-mod-shib and shibboleth
installed via apt with this repo:
https://pkg.switch.ch/switchaai/ubuntu/dists/bionic/main/binary-all/misc/swi
tchaai-apt-source_1.0.0ubuntu1_all.deb)

 

I'm to the point where I can authenticate with the IdP and I receive the
SAML response, and the Shibboleth session gets set up.  Navigating to
/Shibboleth.sso/Session and /Shibboleth.sso/Status work properly and show
that I've been authenticated.  The NameID attribute is filled with my logon
name.  

 

The problem is that my application can't seem to see the authentication
info.  None of the Shibboleth environment variables get set in Apache for
the session. REMOTE_USER is not there, nor is Shib-Identity-Provider or any
other Shib* variable.  My logs are set to debug level, and I see
"shib_fixups entered in pid" messages but nothing about adding variables.

 

After I authenticate, when I try to access the site after declaring in the
application's VirtualHost directive, for example, the following:

        <Location /login>

                AuthType None

                Require all granted

        </Location>

        <Location />

                AuthType shibboleth

                ShibRequestSetting requireSession false

                Require shibboleth

        </Location>

        <Location /Shibboleth.sso>

                SetHandler shib

        </Location> 

I get 500 errors with the following sample apache error log entries:

[Wed Mar 25 17:09:18.449533 2020] [mod_shib:debug] [pid 25353]
mod_shib.cpp(369): [client 10.0.1.96:17652] get_request_config created
per-request structure

[Wed Mar 25 17:09:18.449565 2020] [ssl:debug] [pid 25353]
ssl_engine_kernel.c(383): [client 10.0.1.96:17652] AH02034: Initial (No.1)
HTTPS request received for child 2 (server mytestserver.example.com:443)

[Wed Mar 25 17:09:18.449696 2020] [mod_shib:debug] [pid 25353]
mod_shib.cpp(1613): [client 10.0.1.96:17652] shib_base_check_authz found
uninitialized request object

[Wed Mar 25 17:09:18.449702 2020] [authz_core:debug] [pid 25353]
mod_authz_core.c(820): [client 10.0.1.96:17652] AH01626: authorization
result of Require shibboleth : denied (no authenticated user yet)

[Wed Mar 25 17:09:18.449706 2020] [authz_core:debug] [pid 25353]
mod_authz_core.c(820): [client 10.0.1.96:17652] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)

[Wed Mar 25 17:09:18.449711 2020] [mod_shib:debug] [pid 25353]
mod_shib.cpp(783): [client 10.0.1.96:17652] shib_check_user entered in pid
(25353)

[Wed Mar 25 17:09:18.449764 2020] [authn_core:error] [pid 25353] [client
10.0.1.96:17652] AH01796: AuthType shibboleth configured without
corresponding module

[Wed Mar 25 17:09:18.449780 2020] [headers:debug] [pid 25353]
mod_headers.c(900): AH01503: headers: ap_headers_error_filter()

[Wed Mar 25 17:09:18.449883 2020] [ssl:debug] [pid 25353]
ssl_engine_io.c(1106): [client 10.0.1.96:17652] AH02001: Connection closed
to child 2 with standard shutdown (server mytestserver.example.com:443)

 

but then I go to https://mytestserver.example.com/Shibboleth.sso/Session and
see

Miscellaneous

Session Expiration (barring inactivity): 430 minute(s)

Client Address: 10.0.1.96

SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol

Identity Provider: MYEXAMPLEIDP-ENTITYID

Authentication Time: 2020-03-25T20:26:09.130Z

Authentication Context Class:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

Authentication Context Decl: (none)

 

Attributes

NameID: jsmit628

 

and https://mytestserver.example.com/Shibboleth.sso/Status:

<StatusHandler time="2020-03-25T21:16:59Z">

<Version Xerces-C="3.2.0" XML-Tooling-C="3.0.5" XML-Security-C="2.0.2"
OpenSAML-C="3.0.1" Shibboleth="3.0.4"/>

<NonWindows sysname="Linux" nodename="myhostname" release="4.15.0-1063-aws"
version="#67-Ubuntu SMP Mon Mar 2 07:24:29 UTC 2020" machine="x86_64"/>

<SessionCache>

<OK/>

</SessionCache>

<Application id="default" entityID="MYEXAMPLESP-ENTITYID"/>

<MetadataProvider source="/etc/shibboleth/MYEXAMPLEIDP-ENTITYID.xml"
lastUpdate="2020-03-25T19:17:22Z"/>

<Handlers>

<Handler type="AssertionConsumerService" Location="/SAML2/POST"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<Handler type="SessionInitiator" Location="/Login"/>

<Handler type="LogoutInitiator" Location="/Logout"/>

<Handler type="LogoutInitiator" Location="/Logout/Admin"/>

<Handler type="MetadataGenerator" Location="/Metadata"/>

<Handler type="Status" Location="/Status"/>

<Handler type="Session" Location="/Session"/>

</Handlers>

<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
use="signing">...</md:KeyDescriptor>

<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
use="encryption">...</md:KeyDescriptor>

<Status>

<OK/>

</Status>

</StatusHandler>

 

My /var/log/shibboleth/transaction.log shows these entries:

2020-03-25
16:25:52|Shibboleth-TRANSACTION.AuthnRequest|||MYEXAMPLEIDP-ENTITYID||||||ur
n:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||||||

2020-03-25
16:26:09|Shibboleth-TRANSACTION.Login|jsmit628|_1b2688e008f0c9f7a5c81bded3ff
4cdb|MYEXAMPLEIDP-ENTITYID|HWveYbCHEeoQpUwxtQ.1MfedLhF|urn:oasis:names:tc:SA
ML:2.0:ac:classes:unspecified|2020-03-25T16:26:09|NameID(1)|jsmit628|urn:oas
is:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:
Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36|10.0.1.96

 

To be clear, when I've tried to examine the environment variables like
REMOTE_USER, I can only get that information if I omit the <Location>
declarations from the Apache VirtualHost config. otherwise attempts to view
the application return 500 errors.

 

Where am I going wrong?  I've been beating my head against a wall for a
couple weeks on this.  I'd appreciate any insight.  Happy to provide more
information as well.

 

Thank you,

chris.

 

  _____  


 <https://www.linkedin.com/in/chinkle> Christopher J. Hinkle, CISSP
he/him/his
 <tel:+17033383850p110> +1 703.299.1580 x110 

 <mailto:chinkle at netlinkrg.com> chinkle at netlinkrg.com
NetLink Resource Group, Inc.
 <https://www.netlinkrg.com/> www.netlinkrg.com


  <https://www.netlinkrg.com/newlogo.gif> 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200325/52f69f9c/attachment.html>

More information about the users mailing list