I have the following configuration in Apache in my service provider:
<Location /login >
AuthType Shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
After authentication, I tried to access the headers in another page, but they did not exist.
It looks like additional configuration is required in Apache.
How do I configure so that Shibboleth is triggers at /login and yet other pages have access to the headers?
Assuming you are using java to fetch shibboleth parameters;
Shibboleth attributes can only be fetched by AJP, So you have to have
AJP enabled in your server.
In shibboleth SP's shibboleth2.xml file's ApplicationDefaults tag add this parameter - attributePrefix="AJP_", this will send parameters as AJP.
In apache enable mod_proxy_ajp module and pass ajp via
ProxyPass /my-application/login ajp://localhost:8009/my-application/login
Even if this is done, shibboleth parameters won't display directly under parameters.keySet(). But if you do parameters.get(key) then it will return some value sent by shib.
Above behaviour may vary for different servers; i.e. you may need to get values by parameters.get("AJP_"+key). P.S. check in both header and request object.
Related
I have searched only for many hours trying to find an answer but cannot. I have an up to date version of Shibboleth working in my RedHat el6.x86_64 proxy server. (SELinux is in permissive mode.) I have a Service Provider setup.
It works well with a particular default IdP. However, when I add the Embedded Discovery Service so that users can select one of two IdP's then there is a problem I cannot get passed:
The user types the resource and gets redirected to the discovery page. They select the IdP they want. They log into that IdP without a problem. After submitting their authentication to the IdP, the user gets redirected to the correct resource but THEN ALWAYS GETS IMMEDIATELY redirected back to the discovery page. In the Apache logs I see that the authentication credentials from the IdP were good.
I've looked extremely closely at the Apache configuration and do not have the redirect in there. All I have is this below for my resource as well as the default /etc/httpd/conf.d/shibboleth-ds.conf and /etc/httpd/conf.d/shib.conf files.
Order allow,deny
Allow from all
AuthType Shibboleth
require valid-user
ShibUseHeaders On
Require shibboleth
In my shibboleth2.xml file I definitely did exactly as the Shibboleth Embedded Discovery Service instructions say. Every tag is in place. I also tried different parameters within the shibboleth-ds/idpselect_config.js but that didn't help. Can someone please give me some guidance? Thank you.
The checkIP and consistentIP settings needed to be adjusted.
I am doing a POC where I need to integrate the Shibboleth SP with OKTA idp provider.I have completed all below steps documented on OKTA official site for this integration.
Install Shibboleth Service Provider
2.Configure the webserver to use Shibboleth
3.Configure Shibboleth to protect a specific folder Create an Okta SAML 2.0 Template application
4.Modify Shibboleth to use the metadata obtained from the Okta application 5.Modify the attribute-map.xml file within Shibboleth
to set the appropriate header variables
6.Restart everything
But there are details missing from the step 5 where I need to modify the atrribute-map.xml. when I fire my protected URI(hosted on apache) it is getting redirected to OKTA login page. But after user enters the user-id and password and clicks login I get a spinner on my browser and it never takes me to my protected site URI hosted on Apache. Any clues to fix this attribute-mapping in Shibboleth SP is highly appreciated.
If the page is not being redirected to SP, he problem need not be with attributes-map.xml
Endpoints could be incorrectly configured. Check
{web app uri}/Shibboleth.sso/Metadata to see if the endpoint URLs are correctly defined.
Check Shibboleth2.xml if entityID is correctly defined, this is the web application that Shibboleth is protecting.
Check {web app uri}/Shibboleth.sso/Session this displays if all the attributes that are being sent from Okta. You can make it display the values too by changing Shibboleth2.xml since it is just POC.
Finally comes attributes-map.xml where you can configure attributes as agreed with Okta. There are some default attributes like NameID that are pre-configured here. You can see the format in attribute-map.xml and in /Shibboleth.sso/Session and code to make use accordingly. For example
formatter="$NameQualifier!$SPNameQualifier!$Name"
If you are adding custom attributes a simple element as shown below should work as long as the name is matching the attribute name that Okta is sending.
This issue was resolved by doing proper configuration on the OKTA side .OKTA provides sam2.0 template app for integration with shibboleth .The below mentioned parameters of this template app were properly configured.
Post Back URL -
Name ID Format - Transient
Recipient -
Audience Restriction -
authnContextClassRef - PasswordProtectedTransport
Response - Signed
Assertion - Signed
Request - Compressed
Destination -
Attribute Statements - username|${user.userName}
Then our integration was succesful
I have my Web Server/IP as
http://username:password#site/path
in my HTTP Request Page in JMeter. I have checked "Retrieve Embedded Resources" in the page. The resources that are retrieved just show up as
http://site/path
and hence fails with a 404 Authentication error. How should i set up for the embedded resources also to include the username and password.
Remove username and password from your URL
Add HTTP Authorization Manager to your Test Plan and provide username and password there
HTTP Authorization Manager will automatically add basic authentication header to all requests including embedded and it should resolve the issue.
I have a CQ Dispatcher configured behind a SSO(single sign on), so when I access the dispatcher URL it will first redirect me to the SSO login page and then after entering the credentials it moves to the dispatcher(My home page).
There isn't a problem in accessing the dispatcher URL
Problem Statement
Problem is with flushing the old content in the cache and getting in the new content onto the cache.
Editing the flush agent
Under the transport tab in the URI section when I give in the value dispatcherURL/dispatcher/invalidate.cache and test the connection it says site moved to the particular sso login page.
What I did
I tried giving in the SSO credentials under the transport tab with
URI as dispatcherURL/dispatcher/invalidate.cache
I tried giving in the SSO credentials under the transport tab with
URI as
SSOURL/dispatcher/invalidate.cache [It is redirected URL]
Please share your knowledge around this.
I think the best option here is to create a new virtualhost in Apache, available without SSO. It should be configured in such manner that only flush agent (and no external clients) can access it. If Apache is installed on the same host as CQ, the virtualhost can be bound to the localhost interface. Otherwise, it should only allow connections from the CQ5 host.
The virtualhost should include the dispatcher configuration, copied from your regular virtualhost.
If you have virtualhost like this, you can configure the flush agent without need to deal with authorization.
Say I have an app with a Sinatra REST API at http://example.com:4567. With my app I have a designer working on the front-end. Rather than set him up with a local back-end I edit his hosts file as follows:
127.0.0.1 local.example.com
and his httpd-vhosts.conf as follows:
ProxyPass /api http://example.com:4567
ProxyPassReverse /api http://example.com:4567
so that API calls are proxied to the remote host. I then create a vhost for local.example.com in apache that maps to his local directory where our front-end repo is. This allows me to give him a remote back-end with a local front-end.
The reason for the subdomain is because we do Facebook authentication which has its restrictive domain policies for auth. We can successfully facebook auth a user and get redirected back to the app, but when attempting to get an access token get a 400 response with the message:
{"error"=>{"message"=>"Missing client_id parameter.", "type"=>"OAuthException", "code"=>101}}
I believe the client_id is correctly set as it's set in the rack:oauth:client object correctly, and the flow is identical and only fails when the domain is different. The only thought I have is that facebook might not like that the user auth's from local.example.com while the access token is requested from example.com, but my understanding is facebook will authenticate on all subdomains. I've also whitelisted local.example.com on my App.
Any insight or advice into how to accomplish this? Thanks in advance.
Turns out it wasn't a domain issue, but rather fb_graph, the open source fb api from nov, uses basic auth by default, you need to set auth to something other than ":basic" when you get the access token in order to solve this error.