Configuring Apache 2.4 with Shibboleth SP 3.0.4

Spencer Thomas Spencer.Thomas at
Thu Mar 26 09:16:29 EDT 2020

Also this in the server.xml, in particular relaxing the constraint on the attribute names (allowedRequestAttributesPattern)

    <Connector port="8009" protocol="AJP/1.3"  redirectPort="8443" tomcatAuthentication="false" secretRequired="false"  allowedRequestAttributesPattern=".*"/>

From: users <users-bounces at> on behalf of Spencer Thomas <Spencer.Thomas at>
Reply-To: Shib Users <users at>
Date: Thursday, March 26, 2020 at 9:03 AM
To: Shib Users <users at>
Subject: Re: Configuring Apache 2.4 with Shibboleth SP 3.0.4

How are you connecting from Apache to your protected application?

If you have a Java app, have you configured AJP forwarding?  Here’s the stanza from our apache configuration:

Listen 80
Listen 8080
<VirtualHost *:80 *:8080>
        ProxyPass /secure ajp://localhost:8009/secure
        ProxyPassReverse /secure ajp://localhost:8009/secure
        ProxyPass /start ajp://localhost:8009/start
        ProxyPassReverse /start ajp://localhost:8009/start

        ServerName https://

From: users <users-bounces at> on behalf of "Christopher J. Hinkle" <chinkle at>
Organization: NetLink Resource Group, Inc.
Reply-To: Shib Users <users at>
Date: Wednesday, March 25, 2020 at 10:22 PM
To: "users at" <users at>
Subject: Configuring Apache 2.4 with Shibboleth SP 3.0.4

It’s MOSTLY working.  But mostly isn’t good enough, and I need some advice.

Environment: Ubuntu 18.04.5 kernel 4.15.0-1063-aws / Apache 2.4.41 with PHP 7.2.28 / Shibboleth SP 3.0.4 (via libapache2-mod-shib and shibboleth installed via apt with this repo:

I’m to the point where I can authenticate with the IdP and I receive the SAML response, and the Shibboleth session gets set up.  Navigating to /Shibboleth.sso/Session and /Shibboleth.sso/Status work properly and show that I’ve been authenticated.  The NameID attribute is filled with my logon name.

The problem is that my application can’t seem to see the authentication info.  None of the Shibboleth environment variables get set in Apache for the session… REMOTE_USER is not there, nor is Shib-Identity-Provider or any other Shib* variable.  My logs are set to debug level, and I see “shib_fixups entered in pid” messages but nothing about adding variables.

After I authenticate, when I try to access the site after declaring in the application’s VirtualHost directive, for example, the following:
        <Location /login>
                AuthType None
                Require all granted
        <Location />
                AuthType shibboleth
                ShibRequestSetting requireSession false
                Require shibboleth
        <Location /Shibboleth.sso>
                SetHandler shib
I get 500 errors with the following sample apache error log entries:
[Wed Mar 25 17:09:18.449533 2020] [mod_shib:debug] [pid 25353] mod_shib.cpp(369): [client] get_request_config created per-request structure
[Wed Mar 25 17:09:18.449565 2020] [ssl:debug] [pid 25353] ssl_engine_kernel.c(383): [client] AH02034: Initial (No.1) HTTPS request received for child 2 (server
[Wed Mar 25 17:09:18.449696 2020] [mod_shib:debug] [pid 25353] mod_shib.cpp(1613): [client] shib_base_check_authz found uninitialized request object
[Wed Mar 25 17:09:18.449702 2020] [authz_core:debug] [pid 25353] mod_authz_core.c(820): [client] AH01626: authorization result of Require shibboleth : denied (no authenticated user yet)
[Wed Mar 25 17:09:18.449706 2020] [authz_core:debug] [pid 25353] mod_authz_core.c(820): [client] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Mar 25 17:09:18.449711 2020] [mod_shib:debug] [pid 25353] mod_shib.cpp(783): [client] shib_check_user entered in pid (25353)
[Wed Mar 25 17:09:18.449764 2020] [authn_core:error] [pid 25353] [client] AH01796: AuthType shibboleth configured without corresponding module
[Wed Mar 25 17:09:18.449780 2020] [headers:debug] [pid 25353] mod_headers.c(900): AH01503: headers: ap_headers_error_filter()
[Wed Mar 25 17:09:18.449883 2020] [ssl:debug] [pid 25353] ssl_engine_io.c(1106): [client] AH02001: Connection closed to child 2 with standard shutdown (server

but then I go to and see
Session Expiration (barring inactivity): 430 minute(s)
Client Address:
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2020-03-25T20:26:09.130Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Authentication Context Decl: (none)

NameID: jsmit628

<StatusHandler time="2020-03-25T21:16:59Z">
<Version Xerces-C="3.2.0" XML-Tooling-C="3.0.5" XML-Security-C="2.0.2" OpenSAML-C="3.0.1" Shibboleth="3.0.4"/>
<NonWindows sysname="Linux" nodename="myhostname" release="4.15.0-1063-aws" version="#67-Ubuntu SMP Mon Mar 2 07:24:29 UTC 2020" machine="x86_64"/>
<Application id="default" entityID="MYEXAMPLESP-ENTITYID"/>
<MetadataProvider source="/etc/shibboleth/MYEXAMPLEIDP-ENTITYID.xml" lastUpdate="2020-03-25T19:17:22Z"/>
<Handler type="AssertionConsumerService" Location="/SAML2/POST" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<Handler type="SessionInitiator" Location="/Login"/>
<Handler type="LogoutInitiator" Location="/Logout"/>
<Handler type="LogoutInitiator" Location="/Logout/Admin"/>
<Handler type="MetadataGenerator" Location="/Metadata"/>
<Handler type="Status" Location="/Status"/>
<Handler type="Session" Location="/Session"/>
<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="signing">...</md:KeyDescriptor>
<md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="encryption">...</md:KeyDescriptor>

My /var/log/shibboleth/transaction.log shows these entries:
2020-03-25 16:25:52|Shibboleth-TRANSACTION.AuthnRequest|||MYEXAMPLEIDP-ENTITYID||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||||||
2020-03-25 16:26:09|Shibboleth-TRANSACTION.Login|jsmit628|_1b2688e008f0c9f7a5c81bded3ff4cdb|MYEXAMPLEIDP-ENTITYID|HWveYbCHEeoQpUwxtQ.1MfedLhF|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified|2020-03-25T16:26:09|NameID(1)|jsmit628|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36|

To be clear, when I’ve tried to examine the environment variables like REMOTE_USER, I can only get that information if I omit the <Location> declarations from the Apache VirtualHost config… otherwise attempts to view the application return 500 errors.

Where am I going wrong?  I’ve been beating my head against a wall for a couple weeks on this.  I’d appreciate any insight.  Happy to provide more information as well.

Thank you,

Christopher J. Hinkle, CISSP<>
+1 703.299.1580 x110<tel:+17033383850p110>

chinkle at<mailto:chinkle at>
NetLink Resource Group, Inc.<>

[Image removed by sender. NetLink Resource Group, Inc.]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list