I’m trying to configure Shibboleth SSO with Indico but I have not managed to get it working… I followed configuration instructions for the auth provider and the identify provider (I already have an LDAP provider configured), with no attr prefix (this is an eduGain IdP) and the mapping is:
'affiliation': 'supannEtablissement', 'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail', 'phone': 'telephoneNumber'
AFAIK, the Shibboleth config part is ok as I have been able to declare the SP into the identity federation which involves retrieving the metadata by the federation.
After restarting Indico, I get the SSO entrie in the login page but when I click on the button to use it, it fails with the error message “Identifier missing in shibboleth response” (which can also be found in indico.log). In Apache access log, I find the following lines for every login attempt:
lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/shib-sso/ HTTP/1.1” 302 259
lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/shib-sso/shibboleth HTTP/1.1” 302 221
lfbn-1-9087-126.w86-238.abo.wanadoo.fr - - [04/Feb/2019:21:31:11 +0100] “GET /login/ HTTP/1.1” 200 8888
I don’t know if the 302 status code is expected… I guess that yes. What surprises me is that the Shibboleth transaction.log file remains empty where I’d expected to see a transaction entry for every login attempt… but I cannot figure out what could be the reason. I disabled SELinux just in case, without any impact (and in fact there is no entry added to audit.log when trying to login). And when defining shibd log level to DEBUG, I find the following line in shibd.log
2019-02-04 21:17:35 DEBUG Shibboleth.ServiceProvider : registered remoted message endpoint (indico::getHeaders::Application)
tending to indicate that some sort of connection was successfully established with Shibboleth by Indico if I interpret the message correctly…
Any troubleshooting hint will be very much appreciated!