WordPress.org

Ready to get started?Download WordPress

Forums

Shibboleth
[Plugin Shibboleth] loop wrong key checked (13 posts)

  1. tsikorski
    Member
    Posted 3 years ago #

    When trying to establish if a session is active in shibboleth.php the function shibboleth_session_active is checking for session headers which in my environment don't exist.

    Here is the function in question:

    /**
     * Check if a Shibboleth session is active.
     *
     * @return boolean if session is active
     * @uses apply_filters calls 'shibboleth_session_active' before returning final result
     */
    function shibboleth_session_active() {
            $active = false;
    
            $session_headers = array('Shib-Session-ID', 'HTTP_SHIB_IDENTITY_PROVIDER');
            foreach ($session_headers as $header) {
                    if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) {
                            $active = true;
                            break;
                    }
            }
    
            $active = apply_filters('shibboleth_session_active', $active);
            return $active;
    }

    I managed to get the plugin to work by changing the code to

    /**
     * Check if a Shibboleth session is active.
     *
     * @return boolean if session is active
     * @uses apply_filters calls 'shibboleth_session_active' before returning final result
     */
    function shibboleth_session_active() {
            $active = false;
    
            $session_headers = array('Shib_Session_ID', 'HTTP_SHIB_IDENTITY_PROVIDER');
            foreach ($session_headers as $header) {
                    if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) {
                            $active = true;
                            break;
                    }
            }
    
            $active = apply_filters('shibboleth_session_active', $active);
            return $active;
    }

    Without this change any attempt at using Shib would cauase a loop with the idp. Has anyone else seen this?

  2. jkhongusc
    Member
    Posted 3 years ago #

    Just wanted to comment that the Shibboleth plugin out-of-the-box worked fine for me. I verified that we do retrieve 'Shib-Session-ID' from Shibboleth. One of the first things I install on a Shibbolized server is a test page that prints out all the headers.

  3. fabri76
    Member
    Posted 2 years ago #

    hello,
    i am experiencing the same loop problem. i tried your workaround, but nothing changes.
    can you help me, please?
    thank you.
    ciao,
    fabrizio

  4. jkhongusc
    Member
    Posted 2 years ago #

    fabri76 -
    The endless looping could be caused by a number of reasons. You should create a page that prints out all the Shibboleth headers to verify that you are getting 'Shib-Session-ID' or 'HTTP_SHIB_IDENTITY_PROVIDER'.

    For example I created a Shibboleth protected php page (e.g. /secure/debug.php that prints out all the http headers:

    <?php print '<pre>'.print_r($_SERVER, true).'</pre>'; ?>

    First verify that you are getting those headers. If you are getting the headers, I would check on your Shibboleth/Apache configuration (i.e. htaccess file) or your Shibboleth configuration in WP.

  5. fabri76
    Member
    Posted 2 years ago #

    hello jkhongusc,
    thank you for your reply.
    i have a test php page which shows all of the http headers and the result is:
    ***
    HTTP_SHIB_IDENTITY_PROVIDER https://federatest.lepida.it/gw/metadata
    Shib-Application-ID default
    Shib-Authentication-Instant 2011-05-18T05:58:46.883Z
    Shib-Authentication-Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    Shib-AuthnContext-Class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    Shib-Identity-Provider https://federatest.lepida.it/gw/metadata
    Shib-Session-ID _26d49f597a3d3040506564bd7a80a46d
    ***
    so i am already getting the shib-session-id and http_shib_identity_provider, so what shall i check into to solve my loop problem?
    thank you very much.
    ciao,
    fabrizio

  6. jkhongusc
    Member
    Posted 2 years ago #

    fabri76 -
    Great, that verifies that Shibboleth is configured properly and passing the session variables.
    1) Can you tell me what version of WP you are using and if you have any special configurations (e.g. multi-site)?
    2) Are you certain you entered the correct Shibboleth configurations in /wp-admin? The really important ones are 'Session Initiator URL' and 'Username'. Make sure you map the correct http header to Username and that you can see Username header in your test php page.
    3) Can you tell me the exact urls (you can leave out hostnames) to log into Shibboleth and when the endless looping occurs?
    4) Can you check if your <WP dir>/.htaccess file has the shibboleth settings:

    # BEGIN Shibboleth
    AuthType Shibboleth
    Require Shibboleth
    # END Shibboleth

    If you are certain you are doing everything right, the next step is to insert logging into the Shibboleth plugin.

    James

  7. fabri76
    Member
    Posted 2 years ago #

    hello james,
    here there the answers to your questions:
    1. my wp version is 3.0.2 and i do not have special configs (no multi-site)
    2. yes the 'session initiation url' (which points to "http://<myURL>/Shibboleth.sso/Login") is set properly, in fact, when i choose to logon with shibboleth i am redirected to the shibboleth login url set as mentioned above; also the username is set and points to "CodiceFiscale", in fact (from my test page) i see:
    ***
    CodiceFiscale LSGFRZ76R04H223G
    ***
    if you believe that it can be of help, i can give you a username and the url for the test page and the shib login page, so you can test what happens yourself. let me know. in this case i would prefer to give you link, username and password via email.
    3. when the loop occurs, the 2 urls shown are:
    http://<myURL>/Shibboleth.sso/Login?target=http%3A%2F%2F<myURL>%2Fwp-login.php%3Faction%3Dshibboleth
    and
    https://<myRemoteIdp>/gw/AssertionConsumerProxy/SAML1?ssoProxying=reggioemilia
    4. the .htaccess file contains:
    ***

    # BEGIN WordPress

    # END WordPress

    # BEGIN Shibboleth
    AuthType Shibboleth
    Require Shibboleth
    # END Shibboleth
    ***
    let me know, please.
    thank you.
    ciao,
    fabrizio

  8. jkhongusc
    Member
    Posted 2 years ago #

    fabrizio -
    IMO, it seems that you have configured everything correctly. But WP is not seeing the Shibboleth session headers. The next step is to add logging into the shibboleth plugin. Hopefully you are confident enough to be able to do this... on a test system (not production):

    1) backup main shib plugin file

    cd <wp dir>/wp-content/plugins/shibboleth
    cp shibboleth.php shibboleth.php.bak

    2) add logging to various functions. I think the problem is in shibboleth_session_active() so I will give you an example of how to add logging to that function, but go ahead and put the logging in other functions:

    function shibboleth_session_active() {
    error_log("shibboleth_session_active",0);
            $active = false;
            $session_headers = array('Shib-Session-ID', 'HTTP_SHIB_IDENTITY_PROVIDER','Shib-Identity-Provider');
            foreach ($session_headers as $header) {
                    if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) {
                            $active = true;
                            break;
                    }
            }
    if ($active == false) {
    error_log("Shib-Session-ID = ".$_SERVER['Shib-Session-ID'],0);
    error_log("HTTP_SHIB_IDENTITY_PROVIDER = ".$_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'],0);
    error_log("Shib-Identity-Provider= ".$_SERVER['Shib-Identity-Provider'],0);
    }
            $active = apply_filters('shibboleth_session_active', $active);
            return $active;
    }

    3) tail -f the apache error log file
    4) log into WP/Shibboleth and watch the error messages

    Let me know if shibboleth_session_active() can see the Shibboleth headers - that is the key to the looping.

    James

  9. fabri76
    Member
    Posted 2 years ago #

    james,
    first of all thank you for your very important support!

    i put the logging to the shibboleth_session_active function and the result of the tail on the error_log file is:

    ***
    [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] shibboleth_session_active
    [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] Shib-Session-ID =
    [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER =
    [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] Shib-Identity-Provider=
    [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] shibboleth_session_active
    [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] Shib-Session-ID =
    [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER =
    [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] Shib-Identity-Provider=
    [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] shibboleth_session_active
    [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] Shib-Session-ID =
    [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER =
    [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] Shib-Identity-Provider=
    [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] shibboleth_session_active
    [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] Shib-Session-ID =
    [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER =
    [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] Shib-Identity-Provider=
    [Wed May 18 16:18:31 2011] [error] [client 172.16.2.33] shibboleth_session_active
    ***

    that means that, as you mentioned, the function does not show the headers needed!
    which are the other functions that needs logging? i am trying to do that, but i have to confess that i am not very confident in that... i do hope i will be able.
    thank you.
    ciao,
    fabrizio

  10. jkhongusc
    Member
    Posted 2 years ago #

    fabrizio -
    For now you do not have to add error logging anywhere else. The question is why does your test page see the shibboleth headers and not WP. There must be a difference in the Shibboleth or Apache/httpd configuration.

    What is the url to your test page and how did you protect it with Shibboleth? Is the test page on the WP server? If not, it should be!

    Another way to check is to manually initiate a Shib login and redirect straight to the test page. You can create your own Shibbed url by changing the target (it has to be encoded) -

    http://<myURL>/Shibboleth.sso/Login?target=http%3A%2F%2F<myURL>%2Ftest.php

  11. fabri76
    Member
    Posted 2 years ago #

    james,
    the url of my test page is:

    http://<myURL>/secure2/test.php

    (all of the files under the virtual directory secure2 are protected via shibboleth login).
    and yes, the test page is on the WP server.

    the good news (or maybe is not a good news?) is that invoking the following url:

    http://<myURL>/Shibboleth.sso/Login?target=http%3A%2F%2F<myURL>%2Fsecure2%2Ftest.php

    i am redirected to my remote idp, then i can logon and then i am redirected (with no loop) to the test.php page, which shows:

    Shib-Application-ID	default
    Shib-Session-ID	_16fec1f0e3311190547b751214760f27
    Shib-Identity-Provider	https://<remoteIdP>/gw/metadata
    Shib-Authentication-Instant	2011-05-18T15:02:58.012Z
    Shib-Authentication-Method	urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    Shib-AuthnContext-Class	urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    CodiceFiscale	LSGFRZ76R04H223G
    cognome	LASAGNI
    nome	FABRIZIO
    HTTP_SHIB_SESSION_ID	_16fec1f0e3311190547b751214760f27
    HTTP_SHIB_SESSION_INDEX
    HTTP_SHIB_IDENTITY_PROVIDER	https://<remoteIdP>/gw/metadata
    HTTP_SHIB_AUTHENTICATION_METHOD	urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    HTTP_SHIB_AUTHENTICATION_INSTANT	2011-05-18T15:02:58.012Z
    HTTP_SHIB_AUTHNCONTEXT_CLASS	urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    HTTP_SHIB_AUTHNCONTEXT_DECL
    HTTP_SHIB_ASSERTION_COUNT
    HTTP_SHIB_APPLICATION_ID	default

    now i am a little bit confused...
    now i should be logged, but, if i invoke the WP logon page, the loop starts, but, if i invoke one of the pages under the virtual directory (/secure2) i can see the page correclty and all of the session parameters (shibboleth ones included).

    thanks again.
    ciao,
    fabrizio

  12. jkhongusc
    Member
    Posted 2 years ago #

    fabrizio -
    My suggestion is to move your test page out of /secure2 and into the top (WP) directory, where wp-login.php resides; so the url would be http://<myURL>/test.php

    Then see if you still get the Shib session headers: http://<myURL>/Shibboleth.sso/Login?target=http%3A%2F%2F<myURL>%2Ftest.php

    Are the hostnames for WP and the test.php url the same? Just making sure because I cannot think of any reason why WP login would not work. If all this doesnt work, I may need access to the urls (via email).
    jkhong @ usc.edu

    James

  13. fabri76
    Member
    Posted 2 years ago #

    james,
    i moved the test.php page into wp top directory. i am redirected to the logon page, but, after the login, i get this error:

    SWITCH Attribute Viewer
    
    Attributes	Values
    No valid Shibboleth session!
    This web page is probably not protected with Shibboleth. Hint to Home Organization administrators:
    Have a look at your web server or Shibboleth configuration

    i am sending you an email with the details of the url and username/password for the tests.

    thank you very much.
    ciao,
    fabrizio

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags