Infinite Loop

[axel9fr]

Hi,

I have follow the bundle install and the configuration, but I have a bug. My application speak with the federation IdP but the response is not read by the bundle. So when an unauthenticated user click on the secure link, my application redirect the unauthenticated user to shibboleth and this one redirect to the CAS service. The user is now authenticated by CAS service and return to shibboleth and this one redirect to my application. But... The bundle don't find that the user is authenticated in the $request and my application redirect to the shibboleth. The user is already authenticated in shibboleth and.... redirect to my application.

So it's giving an infinite loop...

The IdP send the information what I need (I have do some tests) but the bundle cannot catch them.

I have try to look in the shibbolethLister.php, in the handle() function but the code connat pass the:

"if (!$this->shibboleth->isAuthenticated($request)) { return; }"

What can I do to catch the shibboleth parameters in the $request in return from the federation web site please ?

[rmoreas]

There are 3 possible causes I can think of

1. The redirect to the application after sign-on is to http while the shibboleth session is only available on https (check your shibboleth2.xml)
2. The apache Shib configuration for passing attributes to the application is not matching the configuration of the ShibBundle (see ShibUseHeaders apache setting and use_headers setting of the bundle)
3. The Shibboleth Service class (see Service/Shibboleth.php) looks for the attribute Shib-Identity-Provider to know if there is an active shibboleth session. Maybe this one is missing in your environment?

[axel9fr]

Thx for your answer :)

For the first causes, I had this one, but I have pass my Apache in https. I don't think that it's this causes.

Tomorrow I will see for the 2) and 3)

If it's the 3) how can I change the attibute name to match with the response of my IdP ?

[axel9fr]

I have test the shibboleth response and it give this attributes :

$_SERVER Shib-Application-ID, Shib-Session-ID, Shib-Identity-Provider, Shib-Authentication-Instant,Shib-Authentication-Method, Shib-AuthnContext-Class, UmlvFoad, eppn, givenName, mail , sn, supannEmpId, supannOrganisme, uid, HTTPS

So I have the Shib-Identity-Provider that give the url of the federation... So it's not the 3) cause I think :(

Can you give me more information about the 2) cause. I don't understand what do you mean about the "use_headers setting". :/

[axel9fr]

I have find the cause of my problem. It was the config in apache.

Now I pass to the step 2, the userProvider. Thx for your help ;)

[rmoreas]

Good for you :-)