403 Forbidden Issue
Chris Lopez
pez at gwu.edu
Tue Jan 25 23:01:26 UTC 2022
Nate...
Nope... no additional ACL configs here:
Note: /Status is open right now just for us to debug...
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="1800">
<OutOfProcess
tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<ApplicationDefaults entityID="https://mygw.test.gwu.edu/shibboleth"
REMOTE_USER="gwid email"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="https"
redirectLimit="exact">
<SSO entityID="https://sts.windows.net/xxxxxxxx
-xxxx-xxxx-xxxx-xxxxxxxx/">
SAML2
</SSO>
<Logout>Local</Logout>
<!-- <Logout>SAML2 Local</Logout> -->
<LogoutInitiator type="Admin" Location="/Logout/Admin"
acl="127.0.0.1 ::1" />
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" />
<!-- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-->
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="UWS-CFADMINS at hermes.gwu.edu"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" path="mygwtest_azure_idp.xml"/>
<MetadataProvider type="XML" path="mygwtest_google_idp.xml"/>
<AttributeExtractor type="XML" validate="true"
reloadChanges="false" path="attribute-map.xml"/>
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<ApplicationOverride id="gwdar" entityID="
https://gwdar.test.gwu.edu/shibboleth"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
Thanks
Pez
On Tue, Jan 25, 2022 at 5:50 PM Nate Klingenstein <ndk at sudonym.me> wrote:
> Pez,
>
> I don't see anything suspicious there(or in shib.conf, which is mostly
> redundant) either. What's the Apache error log say? Do you have any
> access control requirements specified in shibboleth2.xml?
>
> To help any further, I'd have to get deeper into the environment itself,
> but I don't see anything obviously wrong here. I hope someone else on the
> list does.
>
> Apologies,
> Nate
>
> On Tue, Jan 25, 2022 at 3:42 PM Chris Lopez <pez at gwu.edu> wrote:
>
>> Nate,
>>
>> There are no htaccess files. Here is the VH config for this domain:
>>
>> <VirtualHost *:443>
>>
>> ServerName gwdar.test.gwu.edu
>>
>>
>> ## Vhost docroot
>>
>> DocumentRoot "/docs/gwdar"
>>
>>
>> ## Directories, there should at least be a declaration for /docs/gwdar
>>
>>
>> <Directory "/docs/gwdar">
>>
>> Options -Indexes +FollowSymLinks
>>
>> AllowOverride None
>>
>> Require all granted
>>
>> DirectoryIndex index.cfm default.cfm index.html index.html.var
>> index.shtml
>>
>> </Directory>
>>
>>
>> <Directory "/docs/gwdar/cgi">
>>
>> AllowOverride None
>>
>> Require all granted
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>>
>>
>> ## Logging
>>
>> ErrorLog "/var/log/httpd/test_gwdar_error_ssl.log"
>>
>> ServerSignature Off
>>
>> CustomLog "/var/log/httpd/test_gwdar_access_ssl.log" combined
>>
>> ErrorDocument 403 /mod/errors/noaccess.cfm
>>
>> ErrorDocument 404 /mod/errors/notfound.cfm
>>
>> ErrorDocument 503 /mod/errors/servererror.html
>>
>> ## Rewrite rules
>>
>> RewriteEngine On
>>
>>
>> RewriteRule ^(.*/)?\.git+ - [R=404]
>>
>>
>> RewriteCond %{HTTP_HOST} !^gwdar.test.gwu.edu$ [NC]
>>
>> RewriteRule ^(.*)$ https://gwdar.test.gwu.edu/$1 [R=302]
>>
>>
>> ## Script alias directives
>>
>> ScriptAlias /cgi/ "/docs/gwdar/cgi/"
>>
>> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>> downgrade-1.0 force-response-1.0
>>
>>
>> ## SSL directives
>>
>> SSLEngine on
>>
>> SSLCertificateFile "/etc/pki/tls/certs/mygwtstcfn2.es.gwu.edu.cer"
>>
>> SSLCertificateKeyFile
>> "/etc/pki/tls/private/mygwtstcfn2.es.gwu.edu.key"
>>
>> SSLCertificateChainFile "/etc/pki/tls/certs/IncommonCA.cer"
>>
>>
>> ## Custom fragment
>>
>> ## Shibboleth Configurations
>>
>> <Location /Shibboleth.sso>
>>
>> Require all granted
>>
>> SetHandler shib
>>
>> </Location>
>>
>>
>> <Location /secure/>
>>
>> AuthType shibboleth
>>
>> ShibRequestSetting requireSession 1
>>
>> ShibRequestSetting entityID https://sts.windows.net/xxxxxxxx-xxxx
>> -xxxx-xxxx-xxxxxxxx/
>>
>> require shib-session
>>
>> </Location>
>>
>> Thanks
>> Pez
>>
>> On Tue, Jan 25, 2022 at 5:14 PM Nate Klingenstein <ndk at sudonym.me> wrote:
>>
>>> Pez,
>>>
>>> I don't see anything immediately wrong with the configuration there.
>>> The trailing slash shouldn't matter. Do you have any overriding
>>> directives(like Directory blocks or .htaccess files) elsewhere in Apache's
>>> configuration?
>>>
>>> It's going to take some digging, but I think this is almost certainly an
>>> Apache configuration issue.
>>>
>>> Hope this helps, and I can understand why you're scratching your heads,
>>> Nate
>>>
>>> On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez at gwu.edu> wrote:
>>>
>>>> Nate,
>>>>
>>>> Yes it is an Apache 403 error.
>>>>
>>>> I followed the documentation online as well as the examples that came
>>>> with shibboleth for Apache 2.4
>>>>
>>>> These are the configurations inside the apache virtualhost configs.
>>>>
>>>> NOTE 1: I attempted configurations with and without a trailing slash
>>>> after the /secure Location.
>>>> NOTE 2: I have X'd out the entity id
>>>>
>>>>
>>>> <Location /Shibboleth.sso>
>>>>
>>>> Require all granted
>>>>
>>>> SetHandler shib
>>>>
>>>> </Location>
>>>>
>>>> <Location /secure/>
>>>>
>>>> AuthType shibboleth
>>>>
>>>> ShibRequestSetting requireSession 1
>>>>
>>>> ShibRequestSetting entityID
>>>> https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
>>>>
>>>> require shib-session
>>>>
>>>> </Location>
>>>>
>>>> Thanks
>>>> Chris
>>>>
>>>>
>>>> On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk at sudonym.me>
>>>> wrote:
>>>>
>>>>> Chris,
>>>>>
>>>>> Making the assumption that you're getting the 403 from Apache, the
>>>>> authorization directives changed radically between versions 2.2 and 2.4.
>>>>> Check the Apache settings that you have protecting that location to make
>>>>> sure they match the OOTB configuration shipped with 3.3.
>>>>>
>>>>> If that all looks normal, we'll need more details.
>>>>>
>>>>> Take care,
>>>>> Nate
>>>>>
>>>>>
>>>>> On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
>>>>> users at shibboleth.net> wrote:
>>>>>
>>>>>> I was previously setup in a environment with coldfusion 11, apache
>>>>>> 2.2 and Shibboleth SP 2.0, and we had the environment working perfectly.
>>>>>>
>>>>>> We have recently setup a new environment with coldfusion 2018, apache
>>>>>> 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
>>>>>> shibboleth, and apache) in place as they should be. When attempting to
>>>>>> test, the user gets routed to authenticate (as it should), and the
>>>>>> authentication process is successful (as it should). After authentication,
>>>>>> it routes to /secure where it then shows a 403 Forbidden message.
>>>>>>
>>>>>> I noticed that it adds a slash at the end (/secure/), and thought
>>>>>> that might be a problem, however, I don't believe that is the issue as (#1)
>>>>>> the old environment behaves the same way and (#2) I added trailing
>>>>>> slashes in the Location /secure/ settings as well. This had no effect,
>>>>>> leading me to believe that isn't the issue.
>>>>>>
>>>>>> I have verified by going to /Shibboleth.sso/Sessions, checking
>>>>>> transaction and shib logs, as well as using Chrome Developer Tools >
>>>>>> Network > cookies, that a session indeed has been created, however the
>>>>>> /secure Location is still throwing a 403 Forbidden.
>>>>>>
>>>>>> Our Identity guy and myself are banging our heads against the wall on
>>>>>> this one... Please Help !!
>>>>>>
>>>>>> Thanks
>>>>>> Pez
>>>>>> --
>>>>>> For Consortium Member technical support, see
>>>>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>>>>> To unsubscribe from this list send an email to
>>>>>> users-unsubscribe at shibboleth.net
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220125/83b46847/attachment.htm>
More information about the users
mailing list