Help with SSO troubleshooting


#1

Hi,

I’m trying to configure Shibboleth SSO with Indico but I have not managed to get it working… I followed configuration instructions for the auth provider and the identify provider (I already have an LDAP provider configured), with no attr prefix (this is an eduGain IdP) and the mapping is:

        'affiliation': 'supannEtablissement',
        'first_name': 'givenName',
        'last_name': 'sn',
        'email': 'mail',
        'phone': 'telephoneNumber'

AFAIK, the Shibboleth config part is ok as I have been able to declare the SP into the identity federation which involves retrieving the metadata by the federation.

After restarting Indico, I get the SSO entrie in the login page but when I click on the button to use it, it fails with the error message “Identifier missing in shibboleth response” (which can also be found in indico.log). In Apache access log, I find the following lines for every login attempt:

lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/shib-sso/ HTTP/1.1” 302 259
lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/shib-sso/shibboleth HTTP/1.1” 302 221
lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/ HTTP/1.1” 200 8888

I don’t know if the 302 status code is expected… I guess that yes. What surprises me is that the Shibboleth transaction.log file remains empty where I’d expected to see a transaction entry for every login attempt… but I cannot figure out what could be the reason. I disabled SELinux just in case, without any impact (and in fact there is no entry added to audit.log when trying to login). And when defining shibd log level to DEBUG, I find the following line in shibd.log :slight_smile:

2019-02-04 21:17:35 DEBUG Shibboleth.ServiceProvider : registered remoted message endpoint (indico::getHeaders::Application)

tending to indicate that some sort of connection was successfully established with Shibboleth by Indico if I interpret the message correctly…

Any troubleshooting hint will be very much appreciated!

Michel


#2

I made progress and found what was preventing the request to be sent to shibd: a hidden require (in an included config file) in the Apache config overwriting the require shib-session. But I still have the error “Identifier missing in shibboleth response” despite seeing the transaction in shibd transaction.log…

I’d like to enable a more verbose log in Indico but I don’t remember how to do it? Could somebody refresh my memory?

Michel


#3

Problem found… I’m using Shibboleth v3 (not sure it is the reason but may be…) where the standard attribute mapping defined in /etc/shibboleth/attribute-map.xml doesn’t contain the mail attribute used as the user identifier by Indico…

BTW, according to Shibboleth documentation the ‘require valid-user’ should be changed to ‘require shib-session’ (not sure it is an advice or a strict requirement).

Michel


#4

Great to see that you solved the problem - since we’re not using shibboleth ourselves anymore (we use the cern oauth service and in the one case where we do still use SAML we use a preconfigured proxy that handles it) it’d have been mostly doing wild guesses for us.

Maybe something that changed at some point? I know Apache did some major changes in the auth config, so maybe that’s related…


#5

I don’t think the change is related to 2.4 auth module changes. Shibboleth recommendation/explanation can be found at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess and ‘valid-user’ is clearly marked as deprecated. shib-session is the replacement since 2.4 if I’m right (3.0 is the version distributed with recentOS 7/EPEL).