403 Forbidden Issue
Chris Lopez
pez at gwu.edu
Tue Jan 25 22:46:52 UTC 2022
Nate
..And this is the shib.conf file:
# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
# Load the Shibboleth module.
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<IfModule mod_alias.c>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
Thanks
Pez
On Tue, Jan 25, 2022 at 5:14 PM Nate Klingenstein <ndk at sudonym.me> wrote:
> Pez,
>
> I don't see anything immediately wrong with the configuration there. The
> trailing slash shouldn't matter. Do you have any overriding
> directives(like Directory blocks or .htaccess files) elsewhere in Apache's
> configuration?
>
> It's going to take some digging, but I think this is almost certainly an
> Apache configuration issue.
>
> Hope this helps, and I can understand why you're scratching your heads,
> Nate
>
> On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez at gwu.edu> wrote:
>
>> Nate,
>>
>> Yes it is an Apache 403 error.
>>
>> I followed the documentation online as well as the examples that came
>> with shibboleth for Apache 2.4
>>
>> These are the configurations inside the apache virtualhost configs.
>>
>> NOTE 1: I attempted configurations with and without a trailing slash
>> after the /secure Location.
>> NOTE 2: I have X'd out the entity id
>>
>>
>> <Location /Shibboleth.sso>
>>
>> Require all granted
>>
>> SetHandler shib
>>
>> </Location>
>>
>> <Location /secure/>
>>
>> AuthType shibboleth
>>
>> ShibRequestSetting requireSession 1
>>
>> ShibRequestSetting entityID
>> https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
>>
>> require shib-session
>>
>> </Location>
>>
>> Thanks
>> Chris
>>
>>
>> On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk at sudonym.me> wrote:
>>
>>> Chris,
>>>
>>> Making the assumption that you're getting the 403 from Apache, the
>>> authorization directives changed radically between versions 2.2 and 2.4.
>>> Check the Apache settings that you have protecting that location to make
>>> sure they match the OOTB configuration shipped with 3.3.
>>>
>>> If that all looks normal, we'll need more details.
>>>
>>> Take care,
>>> Nate
>>>
>>>
>>> On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
>>> users at shibboleth.net> wrote:
>>>
>>>> I was previously setup in a environment with coldfusion 11, apache 2.2
>>>> and Shibboleth SP 2.0, and we had the environment working perfectly.
>>>>
>>>> We have recently setup a new environment with coldfusion 2018, apache
>>>> 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
>>>> shibboleth, and apache) in place as they should be. When attempting to
>>>> test, the user gets routed to authenticate (as it should), and the
>>>> authentication process is successful (as it should). After authentication,
>>>> it routes to /secure where it then shows a 403 Forbidden message.
>>>>
>>>> I noticed that it adds a slash at the end (/secure/), and thought that
>>>> might be a problem, however, I don't believe that is the issue as (#1) the
>>>> old environment behaves the same way and (#2) I added trailing slashes in
>>>> the Location /secure/ settings as well. This had no effect, leading me to
>>>> believe that isn't the issue.
>>>>
>>>> I have verified by going to /Shibboleth.sso/Sessions, checking
>>>> transaction and shib logs, as well as using Chrome Developer Tools >
>>>> Network > cookies, that a session indeed has been created, however the
>>>> /secure Location is still throwing a 403 Forbidden.
>>>>
>>>> Our Identity guy and myself are banging our heads against the wall on
>>>> this one... Please Help !!
>>>>
>>>> Thanks
>>>> Pez
>>>> --
>>>> For Consortium Member technical support, see
>>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>>> To unsubscribe from this list send an email to
>>>> users-unsubscribe at shibboleth.net
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220125/e6c8a2c8/attachment.htm>
More information about the users
mailing list