Perl 6 - the future is here, just unevenly distributed

IRC log for #shibboleth, 2016-07-19

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:48 ilbot3 joined ##shibboleth
12:08 mckeanbs joined ##shibboleth
14:32 cyberlard joined ##shibboleth
16:27 bricas joined ##shibboleth
16:42 bricas hey y'all. i'm trying to get a shib sp setup on ubuntu but it doesn't seem to be passing any variables back to my app (specifically Shib-Identity-Provider for starters) anyone have any clues as to where i might start debugging this?
16:44 pdurbin cyberlard discopatrick dstanek mckeanbs misilot srg: I asked bricas to ask in here since he's using Ubuntu and I use CentOS.
16:48 mckeanbs You're trying to get the SP to pass environment variables to an application?
16:49 bricas i should mention i'm a total shib neophyte, so apologies if i don't have the mechanics quite correct. :)
16:50 cyberlard how are you testing? against http://www.testshib.org/ ?
16:51 cyberlard mckeanbs: ^
16:51 bricas mckeanbs: so, i'm using testshib.org as my idp, and it seems to auth just fine, but when i come back to the app (which is dataverse, btw [dataverse.org]) it complains at the it the assertion for "Shib-Identity-Provider" is null
16:51 cyberlard er
16:51 cyberlard bricas, sorry mckeanbs
16:51 bricas i have apache setup with mod_shib as a front-end proxy to glassfish which runs the dataverse app
16:52 pdurbin I'm a Dataverse developer and I worked on the Shib support. We instruct users to add attributePrefix="AJP_" to /etc/shibboleth/shibboleth2.xml to get it working (which bricas has done already).
16:52 cyberlard do you have logging set up? check /var/log/shibboleth
16:52 bricas cyberlard: yep, testshib.org -- i originally had my institution as the idp but switched to testshib and got the same error
16:53 bricas cyberlard: i indeed do have logs
16:53 cyberlard pretty much all of them should be helpful
16:54 srg oh sweet. I didn't know about testshib.org. That's so helpful.
16:54 cyberlard transaction.log should contain the attributes being sent
16:54 mckeanbs Hmm, can't say I've done anything beyond just printing attributes received in php. We only run identity providers in production, with the service provider just for testing the identity provider.
16:54 cyberlard if any
16:55 cyberlard then shibd.log might contain some useful errors
16:55 cyberlard and the WARN log will warn if anything smells funky
16:58 bricas i've quickly tail'ed everything in /var/log/shibboleth and got this: https://nopaste.me/view/1b6825a5
17:01 pdurbin bricas: looks pretty similar to what I see after a successful shib login to a Dataverse server: https://paste.fedoraproject.org/392586/47678146/
17:04 bricas so it seems shib is getting all the value, but not sending them through to dataverse?
17:04 bricas *values
17:04 pdurbin yeah
17:06 pdurbin bricas: if you want to troubleshoot a non-Dataverse Java webapp that also uses AJP you could play around with this simple proof of concept app: https://github.com/dvn/shibpoc/tree/master/java/shibsppoc
17:30 bricas pdurbin: if i manually set an AJP_FOO env variable, should it show up in the dataverse debug?
17:31 pdurbin good question. dunno
17:42 pdurbin it "just works" on CentOS :)
17:43 bricas of course. :P
17:44 pdurbin it would be awesome to crack this nut though. I like to think it should work on Ubuntu too
17:46 bricas agreed.
17:58 bricas WOA.
17:58 bricas HOLD THE PHONE
17:59 bricas i think i have it.
17:59 bricas switching to my main idp for one last test.
18:00 bricas bingo!
18:01 pdurbin bricas: what was it?
18:02 bricas the key to everything, ensure <Location />Require all granted</Location> is *before* all the proxy pass stuff
18:03 bricas sigh. so dumb.
18:04 pdurbin huh. at http://guides.dataverse.org/en/4.4/installation/shibboleth.html#edit-apache-ssl-conf-file I say to put "ProxyPass / ajp://localhost:8009/" *before* "<Location /shib.xhtml>"
18:04 pdurbin which works fine on CentOS
18:07 bricas https://nopaste.me/view/8d927537
18:11 pdurbin oh a *different" Location block
18:13 pdurbin yeah, that doesn't even exist in /etc/httpd/conf.d/ssl.conf on CentOS
19:49 misilot joined ##shibboleth
20:12 misilot joined ##shibboleth
23:37 bschip joined ##shibboleth
23:38 bschip my SP is saying they are not receiving any attributes. I have double checked my attribute resolver and attribute filter files.. How can I troubleshoot thiS?

| Channels | #shibboleth index | Today | | Search | Google Search | Plain-Text | summary