Hello,
I’m experiencing a strange issue where both of my login buttons redirect me to the same login method within my Indico application. However, when I use the links outside of Indico, both of them work as expected, allowing me to log in with either idp or swamid…But it doesn’t work in indico.
- https://domain.com/Shibboleth.sso/login/shib-sso/shibboleth
- https://domain.com/Shibboleth.sso/login/shib-sso/shibboleth-ds
The first button redirects me to our Identity Provider (IdP) without any issues, allowing me to log in successfully.
The second button redirects me to the federation login page where I need to select our entity before being directed to our IdP. This process works smoothly, and I can log in without encountering any problems.
In the Shibboleth configuration file (shibboleth2.xml
), there are two SessionInitiator
elements defined, each specifying a different login method (shibboleth
and shibboleth-ds
). Despite these configurations, the behavior observed in the Indico application suggests that both buttons end up using the same login method. The intriguing aspect is that regardless of the button clicked, the top SessionInitiator determines the login method for both buttons. However, when I swap the SessionInitiator positions, both buttons still function, yet they both adopt the same login method.
<SessionInitiator type="Chaining" Location="/login/shib-sso/shibboleth-ds" id="swamid-ds-default" relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
</SessionInitiator>
<SessionInitiator type="Chaining" Location="/login/shib-sso/shibboleth" id="entity" relayState="ss:mem"
entityID="http://idp.domain.com/adfs/services/trust">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
</SessionInitiator>
In my /opt/indico/etc/indico.conf, it looks like this
UTH_PROVIDERS = {
'shib-sso': {
'type': 'shibboleth',
'title': 'Login with idp',
'attrs_prefix': '',
'callback_uri': '/login/shib-sso/shibboleth',
},
'shib-sso-ds': {
'type': 'shibboleth',
'title': 'Login with Single Sign On',
'attrs_prefix': '',
'callback_uri': '/login/shib-sso/shibboleth-ds',
}
}
IDENTITY_PROVIDERS = {
'**shib-sso**': {
'type': 'shibboleth',
'title': 'SSO',
'identifier_field': 'subject-id',
'mapping': {
'affiliation': 'schacHomeOrganization',
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
'phone': 'ADFS_PHONENUMBER',
},
'trusted_email': True
},
'**shib-sso-ds**': {
'type': 'shibboleth',
'title': 'SSO',
'identifier_field': 'subject-id',
'mapping': {
'affiliation': 'schacHomeOrganization',
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
'phone': 'ADFS_PHONENUMBER',
},
'trusted_email': True
}
}
In the Apache configuration file (indico.conf
), there’s a <LocationMatch>
directive set up to handle requests for both login methods. This directive applies Shibboleth authentication to URLs related to both login methods.
<LocationMatch "^(/Shibboleth\.sso|/login/shib-sso/shibboleth|/login/shib-sso-ds/shibboleth)">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibExportAssertion Off
Require valid-user
</LocationMatch>
What am i missing or doing wrong?
Thank you!