403 Forbidden Issue

Nate Klingenstein ndk at sudonym.me
Tue Jan 25 22:14:01 UTC 2022 

Pez,

I don't see anything immediately wrong with the configuration there.  The
trailing slash shouldn't matter.  Do you have any overriding
directives(like Directory blocks or .htaccess files) elsewhere in Apache's
configuration?

It's going to take some digging, but I think this is almost certainly an
Apache configuration issue.

Hope this helps, and I can understand why you're scratching your heads,
Nate

On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez at gwu.edu> wrote:

> Nate,
>
> Yes it is an Apache 403 error.
>
> I followed the documentation online as well as the examples that came with
> shibboleth for Apache 2.4
>
> These are the configurations inside the apache virtualhost configs.
>
> NOTE 1: I attempted configurations with and without a trailing slash after
> the /secure Location.
> NOTE 2: I have X'd out the entity id
>
>
>   <Location /Shibboleth.sso>
>
>     Require all granted
>
>     SetHandler shib
>
>   </Location>
>
>   <Location /secure/>
>
>     AuthType shibboleth
>
>     ShibRequestSetting requireSession 1
>
>     ShibRequestSetting entityID
> https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
>
>     require shib-session
>
>   </Location>
>
> Thanks
> Chris
>
>
> On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk at sudonym.me> wrote:
>
>> Chris,
>>
>> Making the assumption that you're getting the 403 from Apache, the
>> authorization directives changed radically between versions 2.2 and 2.4.
>> Check the Apache settings that you have protecting that location to make
>> sure they match the OOTB configuration shipped with 3.3.
>>
>> If that all looks normal, we'll need more details.
>>
>> Take care,
>> Nate
>>
>>
>> On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
>> users at shibboleth.net> wrote:
>>
>>> I was previously setup in a environment with coldfusion 11, apache 2.2
>>> and Shibboleth SP 2.0, and we had the environment working perfectly.
>>>
>>> We have recently setup a new environment with coldfusion 2018, apache
>>> 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
>>> shibboleth, and apache) in place as they should be. When attempting to
>>> test, the user gets routed to authenticate (as it should), and the
>>> authentication process is successful (as it should). After authentication,
>>> it routes to /secure where it then shows a 403 Forbidden message.
>>>
>>> I noticed that it adds a slash at the end (/secure/), and thought that
>>> might be a problem, however, I don't believe that is the issue as (#1) the
>>> old environment behaves the same way and (#2) I added trailing slashes in
>>> the Location /secure/ settings as well. This had no effect, leading me to
>>> believe that isn't the issue.
>>>
>>> I have verified by going to /Shibboleth.sso/Sessions, checking
>>> transaction and shib logs, as well as using Chrome Developer Tools >
>>> Network > cookies, that a session indeed has been created, however the
>>> /secure Location is still throwing a 403 Forbidden.
>>>
>>> Our Identity guy and myself are banging our heads against the wall on
>>> this one... Please Help !!
>>>
>>> Thanks
>>> Pez
>>> --
>>> For Consortium Member technical support, see
>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220125/a2440b3b/attachment.htm>

More information about the users mailing list