Closed danielc103 closed 4 years ago
Your symptoms are those of Shibboleth failing to match incoming requests — allowing access without being prompted for login with requireSession=true
For your <Host>
configuration, this needs to your hostname and not the URL (see https://wiki.shibboleth.net/confluence/display/SP3/HowToRequestMap for an example), and you'll probably require a <Path>
element in this configuration as well to define which path should be protected by Shib. The docs for <Host>
https://wiki.shibboleth.net/confluence/display/SP3/Host are unclear on what happens if you don't have Path, PathRegex, or Query present and I've never had a config without one.
Lastly your <Sessions handlerURL="...">
needs to match what you have in your Nginx configuration — by default it's /Shibboleth.sso
but in your config it'd need to be /saml
or whatever your env variable is at that point; in short, it needs to be the same as what you've got the location block set for shibresponder.
There might be other issues but since this is a configuration/setup issue rather than a bug with this nginx module, ask any further questions over at the support mailing list https://www.shibboleth.net/community/lists/. Thanks!
The configs above that I gave had variables that can be set so the handlerURL was correct, it was /Shibboleth.sso
. If that was incorrect I would get a 404 error on the nginx side not a "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests." error. The original host name was removed and I accidentally copy and pasted the URL. All corrected above. As far as the path goes, again, I'm hitting the desired path of root which is allowed in shibboleth settings. I've also changed to /secure
and get the same behavior.
I was more eluding to the issues of why does port 8443 just allow access
and not take me to the login screen and port 8080
takes me to the login screen but throws the "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests."
I needed to add an absolute handlerURL because I can not expose ports on Openshift routes and Shibboleth config generates the ACS from scheme+vhost+port. This would fail was there is no way to reach this. However once I hard coded the handlerURL the ACS gets through.
I assumed the issue at this point was that the handerlURL was https so it was expecting a secure connection, and after reading the issues regarding the above mentioned Shibboleth error, I changed the port to 8443 and implemented SSL on that port to no avail.
Description of Issue/Question
Question/Help
Trying to deploy nginx-shib setup in OpenShift. Running into two issues when trying to access a generic site served by the nginx service.
I get the "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests." using port 8080 on nginx. This happens when handlerSSL is true or false.
Shib service allows access to site without login or SAML calls at all when using port 8443
I'm using absolute handler value to trick Shib for assertion redirect url. I can expose non standard ports on routes in OpenShift.
I am not at all an expert at Shibboleth or Nginx, any help would be greatly appreciated.
Setup
Versions and Systems