Support » Plugin: Shibboleth » Loop issue

  • Resolved forswebmaster

    (@forswebmaster)


    Hello,

    I installed the shibboleth plugin (v. 2.1.1) on a 4.9.7 wordpress instance and I tried to configure the shibboleth login without success.
    I did almost no changes to the default plugin configuration (only auto login plus user configuration). Here is a description of the issue :

    – When I try to login with shibboleth, I am redirected to my IDP for login
    – I selected my institution in the list
    – I enter my credentials and submit them
    – Then I am again redirected to the institution selection list, again and again

    Then I tried to dig a little further. First by looking at which URLs are called. I noticed that the URLs n° 8 to 11 (see below) are called again and again.

    I also tried to trace what was happening in the plugin flow. I noticed that when the function “shibboleth_session_active) is called, the $_SERVER array does not contain any Shibboleth variable (like Shib-Session-ID).

    Another strange thing is when I open a new tab, and type in my website address (`https://test.example.org/), I am logged in and can then access the wp-admin part. On a new tab, accessing a page with phpinfo, I can see that all shibboleth variables are set.

    Could you please help me solving this issue ? Do you have any clue about the cause of this, or if it is a bug ?

    Thanks in advance for your answer

    
    Requests :
    1) https://test.example.org/wp-login.php?redirect_to=https://test.example.org/wp-admin/&action=shibboleth
    2) https://test.example.org/Shibboleth.sso/Login?target=https://test.example.org/wp-login.php?action=shibboleth&redirect_to=https%3A%2F%2Ftest.example.org%2Fwp-admin%2F
    3) https://wayf.example.org/wayf/WAYF?entityID=https://myentityid.org/shibboleth&return=https://test.example.org/Shibboleth.sso/Login?SAMLDS=1&target=ss%3Amem%3A2307280b9efe5c66780ab65c0994806d06c74981260f1163faaf66b40941b0ca
    4) https://wayf.example.org/wayf/WAYF?entityID=https://myentityid.org/shibboleth&return=https://test.example.org/Shibboleth.sso/Login?SAMLDS=1&target=ss%3Amem%3A2307280b9efe5c66780ab65c0994806d06c74981260f1163faaf66b40941b0ca
    5) https://test.example.org/Shibboleth.sso/Login?SAMLDS=1&target=ss:mem:2307280b9efe5c66780ab65c0994806d06c74981260f1163faaf66b40941b0ca&entityID=https://myidp.org/idp/shibboleth
    6) https://myidp.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLLbsIwEEV/JfKeOAkIgkWQKCyKRAsitItuKsceGlfGTj1OH39f8yzdsLPke89ojmaEfKcbNml9bdbw0QL66HunDbLDR0FaZ5jlqJAZvgNkXrBy8rBgWZywxllvhdUkmiCC88qaqTXY7sCV4D6VgKf1oiC19w0ySn2AxwggMRTfQfhY1LSsVVVZDb6OES3dszO6WpYbEs1CXhm+x/5BOFdxa5Ted5VsaEBtlYZTcQ1SuUCmZbkk0XxWkNdePpDDalt1hyD7sp+neXgK2RUyzYUQVYghtjA36LnxBcmSNO8kg0433SQDliSsN3gh0eq06p0yUpm3216qYwjZ/Waz6hyXeQaHh0VCgIxHe7vsMNhd+b6N5WfJZHy2sbUOs+wiBC8yR/RqwnFcwx4Dcj5bWa3ETzTR2n5NHXAPBUkJHR8r/29h/As=&RelayState=ss:mem:2307280b9efe5c66780ab65c0994806d06c74981260f1163faaf66b40941b0ca
    7) https://myidp.org/idp/profile/SAML2/Redirect/SSO;jsessionid=A86F4275E200AD8B96E9491D6C496E8C?execution=e1s1
    8) https://test.example.org/Shibboleth.sso/SAML2/POST
    9) https://test.example.org/wp-login.php?action=shibboleth&redirect_to=https://test.example.org/wp-admin/
    10) https://test.example.org/Shibboleth.sso/Login?target=https://test.example.org/wp-login.php?action=shibboleth&redirect_to=https%3A%2F%2Ftest.example.org%2Fwp-admin%2F
    11) https://wayf.example.org/wayf/WAYF?entityID=https://myentityid.org/shibboleth&return=https://test.example.org/Shibboleth.sso/Login?SAMLDS=1&target=ss%3Amem%3Af5644cc9afedbf4ac108e1d319198bfad0ad27b7b65d815ef6e6d73ffdec15ad
    
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Jonathan Champ

    (@jrchamp)

    There’s about a million questions to ask, so I’m not sure where to start. So if you’re using Apache httpd, hopefully AllowOveride AuthConfig is available for the directory and AuthType shibboleth is set (probably in the .htaccess).

    You can usually check if you’ve logged in successfully to Shibboleth itself by going to https://test.example.org/Shibboleth.sso/Session

    So then we want to see the variable in the PHP, so if you create a file like https://test.example.org/check_server.php with something like “<?php var_dump($_SERVER);” you can check just the _SERVER variables to make sure userland PHP can see the Shibboleth information.

    If it’s still not working, maybe try turning off auto-login and see if that works better. To do that, you can delete the option shibboleth_auto_login or set it to false, such as “update_option( ‘shibboleth_auto_login’, false );”.

    Plugin Author michaelryanmcneill

    (@michaelryanmcneill)

    I agree with @jrchamp. Please verify the proper directives are included in .htaccess, as well as that the environment variables are coming through with the proper prefixes. Please update this post with additional information on the status of this issue.

    Hello,

    Thank a lot for your answers !

    I finally managed to find out what was the cause of the loop. In apache httpd.conf file I had the following directives which were overriding any “Require shibboleth” directive present in virtualhosts or htaccess files :

    <LocationMatch “/wp-login.php”>
    Require ip xxx.xxx.0.0/16
    </LocationMatch>

    The fix was to change theses directives to :

    <LocationMatch “/wp-login.php”>
    AuthType shibboleth
    <RequireAll>
    Require shibboleth
    Require ip xxx.xxx.0.0/16
    </RequireAll>
    </LocationMatch>

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Loop issue’ is closed to new replies.