Question about configuration

[delahappy]

I am replacing my existing ldap authenticatiokn with shibboleth. I have ran through the configuration instructions in readme. I have commented out my original /login and /logout routes. How do I get my application to use the shibb routes? Do I have to manually copy them into my routes file?

[michaeljs1990]

If you have a base install of laravel you should be able to do www.example.com/public/login and that will direct you to the IDP that you have set in your shibboleth/config.php file.

[michaeljs1990]

Here is my example config that I am using on a live site if of help.

<?php

return array(

    'package' => 'saitswebuwm/shibboleth',

    /*
    |--------------------------------------------------------------------------
    | Default Authentication Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the authentication driver that will be utilized.
    | This driver manages the retrieval and authentication of the users
    | attempting to get access to protected areas of your application.
    |
    | Supported: "database", "eloquent"
    |
    */

    'idp_login' => 'https://'. $_SERVER['SERVER_NAME'] .'/Shibboleth.sso/Login',
    'idp_logout' => 'https://'. $_SERVER['SERVER_NAME'] .'/Shibboleth.sso/Logout',
    'local_logout' => 'saitswebuwm/shibboleth::local',
    'login_fail' => 'noauth',

    /*
    |--------------------------------------------------------------------------
    | Default Views
    |--------------------------------------------------------------------------
    |
    | Default views, to change to the views you made you can change the following
    | lines.
    |
    */

    'login_view' => 'saitswebuwm/shibboleth::local', // View that local users should use to login
    'shibboleth_view' => 'authed', // View shibboleth users see after authenticating
    'default_view' => 'noauth', // View users see after authenticating
    'default_unauth' => 'noauth', // View users see when rejected

    /*
    |--------------------------------------------------------------------------
    | Defaults Settings
    |--------------------------------------------------------------------------
    |
    | Change these setting do the proper values for your idp.
    |
    */

    'local_login_user_field' => 'local_email', //post field used to get username
    'local_login_pass_field' => 'local_password', //post field used to get password
    'idp_login_email' => 'mail', //idp server variable for email address
    'idp_login_first' => 'givenName', //idp server variable for first name
    'idp_login_last' => 'sn', //idp server variable for last name

    /*
    |--------------------------------------------------------------------------
    | Groups Settings
    |--------------------------------------------------------------------------
    |
    | Change the group setting acording to your database and program requirements.
    |
    */

    'shibboleth_group' => '1', // Default group ID shibboleth users will be added to

);

[michaeljs1990]

Closing as no response given.

[vcatlan]

I am interested to know how do i setup the application to use the shib routes? I have setup my shibboleth.php similar to what you have above and i am redirected to my IdP when i go to https://hostname/public but once i provide my credentials i get the following error:

Symfony \ Component \ HttpKernel \ Exception \ NotFoundHttpException

[michaeljs1990]

If you post your config file I will take a look.

[vcatlan]

 'saitswebuwm/shibboleth',
    /*
    |--------------------------------------------------------------------------
    | Default Authentication Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the authentication driver that will be utilized.
    | This driver manages the retrieval and authentication of the users
    | attempting to get access to protected areas of your application.
    |
    | Supported: "database", "eloquent"
    |
    */
    'idp_login' => 'https://'. $_SERVER['SERVER_NAME'] .'/Shibboleth.sso/Login',
    'idp_logout' => 'https://'. $_SERVER['SERVER_NAME'] .'/Shibboleth.sso/Logout',
    'local_logout' => 'saitswebuwm/shibboleth::local',
    'login_fail' => 'noauth',
    /*
    |--------------------------------------------------------------------------
    | IdP Emulation
    |--------------------------------------------------------------------------
    |
    | Allows you to emulate an IdP without setting up a test Shibboleth env.
    | Do NOT use this in production for any reason whatsoever.
    | You have been warned.
    | 
    | YOU MUST USE FALSE AND NOT "FALSE" PHP CONVERTS ALL STRINGS EXCEPT "0" TO TRUE.
    |
    *//*
    'emulate_idp' => false,
    'emulate_idp_users' => array(
        'admin' => array(
            'uid' => 'admin',
            'displayName' => 'Admin User',
            'givenName' => 'Admin',
            'sn' => 'User',
            'mail' => 'admin@uwm.edu',
        ),
        'staff' => array(
            'uid' => 'staff',
            'displayName' => 'Staff User',
            'givenName' => 'Staff',
            'sn' => 'User',
            'mail' => 'staff@uwm.edu',
        ),
        'user' => array(
            'uid' => 'user',
            'displayName' => 'User User',
            'givenName' => 'User',
            'sn' => 'User',
            'mail' => 'user@uwm.edu',
        ),
    ),*/

    /*
    |--------------------------------------------------------------------------
    | Default Views
    |--------------------------------------------------------------------------
    |
    | Default views, to change to the views you made you can change the following
    | lines.
    |
    */
    'login_view' => 'shibboleth::local', // View that local users should use to login
    'shibboleth_view' => 'shibboleth::authorized', // View shibboleth users see after authenticating
    'default_view' => 'shibboleth::authorized', // View users see after authenticating
    'default_unauth' => 'shibboleth::unauthorized', // View users see when rejected
    /*
    |--------------------------------------------------------------------------
    | Defaults Settings 
    |--------------------------------------------------------------------------
    |
    | Change these setting do the proper values for your idp.
    |
    */
    'local_login_user_field' => 'local_email', //post field used to get username
    'local_login_pass_field' => 'local_password', //post field used to get password
    'idp_login_email' => 'mail', //idp server variable for email address
    'idp_login_first' => 'givenName', //idp server variable for first name
    'idp_login_last' => 'sn', //idp server variable for last name
    'idp_login_cn' => 'cn', //commonName from idp
    /*
    |--------------------------------------------------------------------------
    | Groups Settings
    |--------------------------------------------------------------------------
    |
    | Change the group setting according to your database and program requirements.
    |
    */
    'shibboleth_group' => '1', // Default group ID shibboleth users will be added to

[cjmaio]

It seems to have the default shibboleth views instead of your own views. Which brings me to the question...

Did you run the following command? php artisan view:publish saitswebuwm/shibboleth

[vcatlan]

Well yeah because i was trying to follow the steps you guys provide. But anyway i have something like this now in my routes.php: Route::get('login', 'ShibbolethController@create'); Route::post('login', 'ShibbolethController@idpAuthorize');

The Class ShibbolethController does not exit

Am i missing something obvious?

[vcatlan]

Never mind the above question. Something that really confuses me is if i specify a location for shib to protect in the apache configuration it works and i get redirected to the idp. But if i use the ShibbolethController@create to redirect to the idp it can't find the /Shibboleth.sso/Login. Again is it something obvious that i'm missing?

[michaeljs1990]

does manually going to /Shibboleth.sso/Login on your server result in a login screen?

[vcatlan]

No it does not. That's what really bugs me because it should go to the login page. Currently i have a

Location /secure

in the apache config that is protected by shib. If i manually go to /secure i see the idp login page. In the routes.php is have something like this:

Route::get('/login', 'Saitswebuwm\Shibboleth\ShibbolethController@create');

In the ShibbolethController i have:

    public function create()
    {
            return Redirect::to(Config::get("$this->cpath.idp_login") . '?target=' . action($this->ctrpath . "idpAuthorize"));
    }

And the:

'idp_login' => 'https://'. $_SERVER['SERVER_NAME'] .'/Shibboleth.sso/Login' 

[cjmaio]

If going to /Shibboleth.sso/Login doesn't give you a login page, that points to a mis-configuration of Shibboleth in Apache. This plugin depends on Shibboleth being setup properly in Apache.

Could we see the snippet of your Apache configuration?

[vcatlan]

Include "C:\opt\shibboleth-sp\etc\shibboleth\apache24.config"
UseCanonicalName On

...

ServerAdmin admin
ServerName my.hostname.com

<VirtualHost my.hostname.com:443>
    ServerName my.hostname.com
    DocumentRoot "points to my laravel public folder"

    <Directory "points to my laravel public folder">        
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    SSLEngine On
    SSLCertificateFile points to my server certificate
    SSLCertificateKeyFile points to my server key
</VirtualHost>

<VirtualHost my.hostname.com:80>
    ServerName my.hostname.com
    DocumentRoot "points to my laravel public folder"

    <Directory "points to my laravel public folder">        
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

In the apache24.config i just have:

#
# Load the Shibboleth module.
#
LoadModule mod_shib C:/opt/shibboleth-sp/lib64/shibboleth/mod_shib_24.so
#
# Turn this on to support "require valid-user" rules from other
# mod_authn_* modules, and use "require shib-session" for anonymous
# session-based authorization in mod_shib.
#
ShibCompatValidUser On

#
# Ensures handler will be accessible.
#
<Location /Shibboleth.sso>
  AuthType None
  Require all granted
  SetHandler shib
</Location>

#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  </Location>
  Alias /shibboleth-sp/main.css C:/opt/shibboleth-sp/doc/shibboleth/main.css
</IfModule>

#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /secure>
  AuthType shibboleth
  ShibUseHeaders On
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

[cjmaio]

What do you get currently when going to /Shibboleth.sso/Login

I'm not super familiar with setting up Shibboleth on Windows, but I know for our Linux setup we do not need to specify the location Shibboleth.sso.

[vcatlan]

I get a NotFoundHttpException

Symfony \ Component \ HttpKernel \ Exception \ NotFoundHttpException

It feels like laravel cannot find /Shibboleth.sso/Login route?

[cjmaio]

Well that means that Laravel is getting your /Shibboleth.sso/Login routes... that's not good.

You need to setup a RewriteCond that ignores /Shibboleth.sso/* from passing into Laravel.

[vcatlan]

Right! added this

RewriteCond %{REQUEST_URI} !^/Shibboleth.sso($|/)

in my .htaccess file and it worked. Thanks

[cjmaio]

No problem! Closing.

[vcatlan]

I do have another quick question. The

private function getServerVariable($variableName)

can't find the idp server variables i declare in the shibboleth.php. And when i went to see the contents of the $_SERVER variable none of the shib related variables are even there or set. Any idea why might that be?

[cjmaio]

You need to ensure that your:

AuthType shibboleth Require shibboleth

Is in the root directory of your application. That is the only place that those $_SERVER variables will appear.

[vcatlan]

You mean this?

<Location />
  AuthType shibboleth
  ShibUseHeaders On
  ShibRequestSetting requireSession 1
  require shibboleth
</Location>

If i do that i get redirected to the idp twice when i try to access https://hostname/login

[cjmaio]

You can remove the Require shibboleth line and set ShibRequestSetting requireSession 0 then your application will need to check if authenticated or not using a filter for your routes, or what not.

[vcatlan]

If i remove the "Require shibboleth" i do not get the shib related variables anymore. And changing "ShibRequestSetting requireSession 0" does not redirect me to the idp twice which is good. I do see the shib related variables twice in the $_SERVER now. Is there a different way other than this?

<Location />
  AuthType shibboleth
  ShibUseHeaders On
  ShibRequestSetting requireSession 0
  Require shibboleth
</Location>

This means that every single route will be redirected to the idp. I will need to have some unprotected routes.

[cjmaio]

In our setup, we use the following configuration options. It will not redirect you to the IdP automatically, your application will have to take care of that.

AuthType shibboleth
Require shibboleth
ShibUseHeaders On
ShibRequireSession Off
ShibRequestSetting isPassive Off

[vcatlan]

That makes a lot of sense. Thank you for the help!