Antw: Re: SP doesn't forward variables

Wed Oct 26 14:49:23 UTC 2022

Nate,

thank you for your hints. They helped me to move forward 
The following Apache configuration

<LocationMatch "/(eg|gtn)/">
	<If "%{QUERY_STRING} =~ /auth_method=Shibboleth/">
			   AuthType shibboleth
			   Require shibboleth
			   ShibRequestSetting requireSession true
			   ShibUseHeaders On
	</If>
< /LocationMatch>

is now able of sending desired Apache variabels to SP and I can see
them in our Vufind application but only on the page with
"?auth_method=Shibboleth". In other pages of the application (all under
<URL>/eg or <URL>/gtn) they aren't available. I want only the page
"<URL>/eg/?auth_method=Shibboleth" (and
"<URL>/gtn/?auth_method=Shibboleth") to be restricted, but I want other
pages to have access to the Apache variables too. Is it possible? How?

If I add 

<Else>
AuthType shibboleth
Require shibboleth
< /Else>

to the configuration, then all pages are restricted and I will be
redirected to IDP when I try to visit any appliaction page.
Regards Sam
BTW I know that using of "ShibUseHeaders On" is not recommanded, but I
want to get the whole system running and then solve this problem. At the
moment without this parameter the variables are not sent.

>>> Nate Klingenstein <ndk at sudonym.me> 19.10.2022 21:05 >>>
Sam,

We would have to know a lot more about your configuration to tell you
for sure, but given that the attributes are being set but not populated,
the most likely explanation by far is that you don't have the page
itself protected by Shibboleth. Cookies will always be sent by the
browser, but attributes will not be provided to unprotected resources.

This can be done either in the httpd configuration or in
shibboleth2.xml, but it's generally cleaner to do it in the httpd
configuration.

You can verify my hunch by placing a phpinfo page in a directory with a
/secure URL path and accessing it, or more preferably, look at the
configuration for /secure that the installer generated in
/etc/httpd/conf.d/shib.conf and port it appropriately to protect the URL
path for your page.

Hope this helps,
Nate

On Wed, Oct 19, 2022, 3:39 AM Samsamoddin Rajaei
<Samsamoddin.Rajaei at bsb-muenchen.de> wrote:

Hello everybody,

I am trying to connect our Vufind application with Shibboleth SP and
can not get SP to forward environement variables back to Vufind. 
When in Vufind application I click the login link, I will be forwarded
to the configured federation and then to our test-idp. After entering my
credentials I will be forwarded back to my configured
"sessionHook"-Page, where I output the phpinfo.

In SP transaction log file I see following entries: 
New session (ID: _804ca556ed17194f42e849338182672f) with
(applicationId: historicumtest) for principal from (IdP: ...) at
(ClientAddress: ...) with (NameIdentifier: none) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_96593f1b531e459c466f3cf6702acb80) 
Cached the following attributes with session (ID:
_804ca556ed17194f42e849338182672f) for (applicationId: historicumtest)
{
uid (1 values) 
targeted-id (1 values) 
affiliation (1 values) 
entitlement (1 values) 
}
In phpinfo I can see different Shibboleth cookies among others the
session cookie with the same id as in log file ( _shibsession_nnn=ID).
But I don't see any of shibboleth statndard apache environement
variables, like Shib-Application-ID and Shib-Identity-Provider nor
anything of uid, targeted-id, affiliation and entitlement.
How can I get uid, targeted-id ,... forwarded to my
"sessionHook"-Page?
Thank you for any hint.
Sam
Bavarian State library - Munich
-- 
For Consortium Member technical support, see
https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221026/60aaaae1/attachment.htm>