403 Forbidden Issue

Tue Jan 25 22:49:49 UTC 2022

Pez,

I don't see anything suspicious there(or in shib.conf, which is mostly
redundant) either.  What's the Apache error log say?  Do you have any
access control requirements specified in shibboleth2.xml?

To help any further, I'd have to get deeper into the environment itself,
but I don't see anything obviously wrong here.  I hope someone else on the
list does.

Apologies,
Nate

On Tue, Jan 25, 2022 at 3:42 PM Chris Lopez <pez at gwu.edu> wrote:

> Nate,
>
> There are no  htaccess files. Here is the VH config for this domain:
>
> <VirtualHost *:443>
>
>   ServerName gwdar.test.gwu.edu
>
>
>   ## Vhost docroot
>
>   DocumentRoot "/docs/gwdar"
>
>
>   ## Directories, there should at least be a declaration for /docs/gwdar
>
>
>   <Directory "/docs/gwdar">
>
>     Options -Indexes +FollowSymLinks
>
>     AllowOverride None
>
>     Require all granted
>
>     DirectoryIndex index.cfm default.cfm index.html index.html.var
> index.shtml
>
>   </Directory>
>
>
>   <Directory "/docs/gwdar/cgi">
>
>     AllowOverride None
>
>     Require all granted
>
>     SSLOptions +StdEnvVars
>
>   </Directory>
>
>
>   ## Logging
>
>   ErrorLog "/var/log/httpd/test_gwdar_error_ssl.log"
>
>   ServerSignature Off
>
>   CustomLog "/var/log/httpd/test_gwdar_access_ssl.log" combined
>
>   ErrorDocument 403 /mod/errors/noaccess.cfm
>
>   ErrorDocument 404 /mod/errors/notfound.cfm
>
>   ErrorDocument 503 /mod/errors/servererror.html
>
>   ## Rewrite rules
>
>   RewriteEngine On
>
>
>   RewriteRule ^(.*/)?\.git+ - [R=404]
>
>
>   RewriteCond %{HTTP_HOST} !^gwdar.test.gwu.edu$ [NC]
>
>   RewriteRule ^(.*)$ https://gwdar.test.gwu.edu/$1 [R=302]
>
>
>   ## Script alias directives
>
>   ScriptAlias /cgi/ "/docs/gwdar/cgi/"
>
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> downgrade-1.0 force-response-1.0
>
>
>   ## SSL directives
>
>   SSLEngine on
>
>   SSLCertificateFile      "/etc/pki/tls/certs/mygwtstcfn2.es.gwu.edu.cer"
>
>   SSLCertificateKeyFile
> "/etc/pki/tls/private/mygwtstcfn2.es.gwu.edu.key"
>
>   SSLCertificateChainFile "/etc/pki/tls/certs/IncommonCA.cer"
>
>
>   ## Custom fragment
>
>   ## Shibboleth Configurations
>
>   <Location /Shibboleth.sso>
>
>     Require all granted
>
>     SetHandler shib
>
>   </Location>
>
>
>   <Location /secure/>
>
>     AuthType shibboleth
>
>     ShibRequestSetting requireSession 1
>
>     ShibRequestSetting entityID https://sts.windows.net/xxxxxxxx-xxxx
> -xxxx-xxxx-xxxxxxxx/
>
>     require shib-session
>
>   </Location>
>
> Thanks
> Pez
>
> On Tue, Jan 25, 2022 at 5:14 PM Nate Klingenstein <ndk at sudonym.me> wrote:
>
>> Pez,
>>
>> I don't see anything immediately wrong with the configuration there.  The
>> trailing slash shouldn't matter.  Do you have any overriding
>> directives(like Directory blocks or .htaccess files) elsewhere in Apache's
>> configuration?
>>
>> It's going to take some digging, but I think this is almost certainly an
>> Apache configuration issue.
>>
>> Hope this helps, and I can understand why you're scratching your heads,
>> Nate
>>
>> On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez at gwu.edu> wrote:
>>
>>> Nate,
>>>
>>> Yes it is an Apache 403 error.
>>>
>>> I followed the documentation online as well as the examples that came
>>> with shibboleth for Apache 2.4
>>>
>>> These are the configurations inside the apache virtualhost configs.
>>>
>>> NOTE 1: I attempted configurations with and without a trailing slash
>>> after the /secure Location.
>>> NOTE 2: I have X'd out the entity id
>>>
>>>
>>>   <Location /Shibboleth.sso>
>>>
>>>     Require all granted
>>>
>>>     SetHandler shib
>>>
>>>   </Location>
>>>
>>>   <Location /secure/>
>>>
>>>     AuthType shibboleth
>>>
>>>     ShibRequestSetting requireSession 1
>>>
>>>     ShibRequestSetting entityID
>>> https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
>>>
>>>     require shib-session
>>>
>>>   </Location>
>>>
>>> Thanks
>>> Chris
>>>
>>>
>>> On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk at sudonym.me>
>>> wrote:
>>>
>>>> Chris,
>>>>
>>>> Making the assumption that you're getting the 403 from Apache, the
>>>> authorization directives changed radically between versions 2.2 and 2.4.
>>>> Check the Apache settings that you have protecting that location to make
>>>> sure they match the OOTB configuration shipped with 3.3.
>>>>
>>>> If that all looks normal, we'll need more details.
>>>>
>>>> Take care,
>>>> Nate
>>>>
>>>>
>>>> On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
>>>> users at shibboleth.net> wrote:
>>>>
>>>>> I was previously setup in a environment with coldfusion 11, apache 2.2
>>>>> and Shibboleth SP 2.0, and we had the environment working perfectly.
>>>>>
>>>>> We have recently setup a new environment with coldfusion 2018, apache
>>>>> 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
>>>>> shibboleth, and apache) in place as they should be. When attempting to
>>>>> test, the user gets routed to authenticate (as it should), and the
>>>>> authentication process is successful (as it should). After authentication,
>>>>> it routes to /secure where it then shows a 403 Forbidden message.
>>>>>
>>>>> I noticed that it adds a slash at the end (/secure/), and thought that
>>>>> might be a problem, however, I don't believe that is the issue as (#1) the
>>>>> old environment behaves the same way and (#2) I added trailing slashes in
>>>>> the Location /secure/ settings as well. This had no effect, leading me to
>>>>> believe that isn't the issue.
>>>>>
>>>>> I have verified by going to /Shibboleth.sso/Sessions, checking
>>>>> transaction and shib logs, as well as using Chrome Developer Tools >
>>>>> Network > cookies, that a session indeed has been created, however the
>>>>> /secure Location is still throwing a 403 Forbidden.
>>>>>
>>>>> Our Identity guy and myself are banging our heads against the wall on
>>>>> this one... Please Help !!
>>>>>
>>>>> Thanks
>>>>> Pez
>>>>> --
>>>>> For Consortium Member technical support, see
>>>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>>>> To unsubscribe from this list send an email to
>>>>> users-unsubscribe at shibboleth.net
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220125/c1a7b593/attachment.htm>