403 Forbidden Issue
Chris Lopez
pez at gwu.edu
Tue Jan 25 22:41:48 UTC 2022
Nate,
There are no htaccess files. Here is the VH config for this domain:
<VirtualHost *:443>
ServerName gwdar.test.gwu.edu
## Vhost docroot
DocumentRoot "/docs/gwdar"
## Directories, there should at least be a declaration for /docs/gwdar
<Directory "/docs/gwdar">
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
DirectoryIndex index.cfm default.cfm index.html index.html.var
index.shtml
</Directory>
<Directory "/docs/gwdar/cgi">
AllowOverride None
Require all granted
SSLOptions +StdEnvVars
</Directory>
## Logging
ErrorLog "/var/log/httpd/test_gwdar_error_ssl.log"
ServerSignature Off
CustomLog "/var/log/httpd/test_gwdar_access_ssl.log" combined
ErrorDocument 403 /mod/errors/noaccess.cfm
ErrorDocument 404 /mod/errors/notfound.cfm
ErrorDocument 503 /mod/errors/servererror.html
## Rewrite rules
RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [R=404]
RewriteCond %{HTTP_HOST} !^gwdar.test.gwu.edu$ [NC]
RewriteRule ^(.*)$ https://gwdar.test.gwu.edu/$1 [R=302]
## Script alias directives
ScriptAlias /cgi/ "/docs/gwdar/cgi/"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/mygwtstcfn2.es.gwu.edu.cer"
SSLCertificateKeyFile "/etc/pki/tls/private/mygwtstcfn2.es.gwu.edu.key"
SSLCertificateChainFile "/etc/pki/tls/certs/IncommonCA.cer"
## Custom fragment
## Shibboleth Configurations
<Location /Shibboleth.sso>
Require all granted
SetHandler shib
</Location>
<Location /secure/>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting entityID https://sts.windows.net/xxxxxxxx-xxxx-xxxx-
xxxx-xxxxxxxx/
require shib-session
</Location>
Thanks
Pez
On Tue, Jan 25, 2022 at 5:14 PM Nate Klingenstein <ndk at sudonym.me> wrote:
> Pez,
>
> I don't see anything immediately wrong with the configuration there. The
> trailing slash shouldn't matter. Do you have any overriding
> directives(like Directory blocks or .htaccess files) elsewhere in Apache's
> configuration?
>
> It's going to take some digging, but I think this is almost certainly an
> Apache configuration issue.
>
> Hope this helps, and I can understand why you're scratching your heads,
> Nate
>
> On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez at gwu.edu> wrote:
>
>> Nate,
>>
>> Yes it is an Apache 403 error.
>>
>> I followed the documentation online as well as the examples that came
>> with shibboleth for Apache 2.4
>>
>> These are the configurations inside the apache virtualhost configs.
>>
>> NOTE 1: I attempted configurations with and without a trailing slash
>> after the /secure Location.
>> NOTE 2: I have X'd out the entity id
>>
>>
>> <Location /Shibboleth.sso>
>>
>> Require all granted
>>
>> SetHandler shib
>>
>> </Location>
>>
>> <Location /secure/>
>>
>> AuthType shibboleth
>>
>> ShibRequestSetting requireSession 1
>>
>> ShibRequestSetting entityID
>> https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
>>
>> require shib-session
>>
>> </Location>
>>
>> Thanks
>> Chris
>>
>>
>> On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk at sudonym.me> wrote:
>>
>>> Chris,
>>>
>>> Making the assumption that you're getting the 403 from Apache, the
>>> authorization directives changed radically between versions 2.2 and 2.4.
>>> Check the Apache settings that you have protecting that location to make
>>> sure they match the OOTB configuration shipped with 3.3.
>>>
>>> If that all looks normal, we'll need more details.
>>>
>>> Take care,
>>> Nate
>>>
>>>
>>> On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
>>> users at shibboleth.net> wrote:
>>>
>>>> I was previously setup in a environment with coldfusion 11, apache 2.2
>>>> and Shibboleth SP 2.0, and we had the environment working perfectly.
>>>>
>>>> We have recently setup a new environment with coldfusion 2018, apache
>>>> 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
>>>> shibboleth, and apache) in place as they should be. When attempting to
>>>> test, the user gets routed to authenticate (as it should), and the
>>>> authentication process is successful (as it should). After authentication,
>>>> it routes to /secure where it then shows a 403 Forbidden message.
>>>>
>>>> I noticed that it adds a slash at the end (/secure/), and thought that
>>>> might be a problem, however, I don't believe that is the issue as (#1) the
>>>> old environment behaves the same way and (#2) I added trailing slashes in
>>>> the Location /secure/ settings as well. This had no effect, leading me to
>>>> believe that isn't the issue.
>>>>
>>>> I have verified by going to /Shibboleth.sso/Sessions, checking
>>>> transaction and shib logs, as well as using Chrome Developer Tools >
>>>> Network > cookies, that a session indeed has been created, however the
>>>> /secure Location is still throwing a 403 Forbidden.
>>>>
>>>> Our Identity guy and myself are banging our heads against the wall on
>>>> this one... Please Help !!
>>>>
>>>> Thanks
>>>> Pez
>>>> --
>>>> For Consortium Member technical support, see
>>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>>> To unsubscribe from this list send an email to
>>>> users-unsubscribe at shibboleth.net
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220125/9cbf184e/attachment.htm>
More information about the users
mailing list