Help on Single Sign On

mtorrisi · February 8, 2018, 2:18pm

Hello to everyone,

I’m new in the forum and I hope this is the rght place where to post my question.

I successfully installed indico 2.0 on a VM with Debian 8 following the instruction provided here.

I configured also shibboleth as described in the above mentioned guide, but I cannot login through and I’m struggling trying to understand where the problem is. This is what I’ve in my indico.conf regarding SSI auth:

  #SSO
  AUTH_PROVIDERS = {
      'shib-sso': {
          'type': 'shibboleth',
          'title': 'Single Sign On',
          'attrs_prefix': 'ADFS_',
          'callback_uri': '/login/shib-sso/shibboleth',
          'logout_uri': 'https://my.sp.com/Shibboleth.sso/Logout'
      }
  }
  IDENTITY_PROVIDERS = {
      'shib-sso': {
          'type': 'shibboleth',
          'title': 'SSO',
          'identifier_field': 'mail',
          'mapping': {
              'login': 'eppn',
              'personId': 'persistent-id',
              'email': 'mail'
          },
          'trusted_email': True
      }
}

eppn, mail and persistent-id are the attributes returned from the IDP. And following you can find what I can see in the:

indico.log

2018-02-08 13:39:02,244  INFO     b1ea03fe14824386  indico.rh                 GET /login/ [IP=xxx.xxx.xxx.xxx] [PID=1412] [UID=None]
2018-02-08 13:39:04,777  INFO     77b174af1ec04952  indico.rh                 GET /login/shib-sso/ [IP=xxx.xxx.xxx.xxx] [PID=1412] [UID=None]
2018-02-08 13:39:06,742  INFO     525f3b1db3e54243  indico.rh                 GET /login/shib-sso/shibboleth [IP=xxx.xxx.xxx.xxx] [PID=1413] [UID=None]
2018-02-08 13:39:06,743  ERROR    525f3b1db3e54243  indico.auth               Authentication via shib-sso failed: No valid data received (None)
2018-02-08 13:39:06,953  INFO     8c5afffcc91a4c23  indico.rh                 GET /login/ [IP=xxx.xxx.xxx.xxx] [PID=1411] [UID=None]

shibd.log

2018-02-08 13:39:06 INFO Shibboleth.SessionCache [1]: new session created: ID (_e0efa9ad4c76cff38f1703695c955a30) IdP (https://our.idp.com/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.xxx.xxx)`

transaction.log

2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]: New session (ID: _e0efa9ad4c76cff38f1703695c955a30) with (applicationId: default) for principal from (IdP: https://our.idp.com/idp/shibboleth) at (ClientAddress: xxx.xxx.xxx.xxx) with (NameIdentifier: 9NPScjyKE+8IPnkt1AJ/NUVqAsQ=) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _586c7cb603123e70cb20449d8b779a9b)
2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]: Cached the following attributes with session (ID: _e0efa9ad4c76cff38f1703695c955a30) for (applicationId: default) {
2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]:    mail (1 values)
2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]:    eppn (1 values)
2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]:    persistent-id (1 values)
2018-02-08 13:39:06 INFO Shibboleth-TRANSACTION [1]: }

Anyone that can help me?
Thanks a lot in advance,

M.

ThiefMaster · February 8, 2018, 2:25pm

Looking at your attribute names I don’t think they are prefixed with ADFS_, so try setting the attrs_prefix to an empty string.

mtorrisi · February 8, 2018, 4:13pm

It seems that it works now.

thanks a lot @ThiefMaster.