The mailing list for listmasters using Sympa

[Olivier Salaün <address@concealed>]

Hi Christian,

Part of your Shibboleth configuration sounds strange to me, see below. However I don't think your issue on servername2.virginia.edu is related; Shibboleth configuration for both hosts look similar. Maybe that's an issue on the IdP side: is it configured to provide the required mail attribute to both SPs?

The SP misconfiguration I detected:

• Your SP RequestMap configuration at the beginning should be turned to requireSession="false" otherwise Shibboleth authentication will be triggered on /sympa, thus disabling anonymous access to the service. Only /sympa/sso_login/incommon needs to be Shibboleth protected
• Your handlerURL attributes should look like /sympa/sso_login/incommon/Shibboleth.sso

PS: these Shibboleth configuration issues are a bit off-topic, so we can go on off-list if you still need support.

Le 05/05/2010 21:18, Christian Dahlhausen a écrit : Olivier,
merci for the quick response.

I looked at the Shibboleth/Sympa documentation, it should be all set. However I am using Shibboleth 1.3. Here are some snippets of my configuration

shibboleth.xml::
<Host name="server1.mail.virginia.edu">
                    <Path name="secure" applicationId="default" authType="shibboleth" requireSession="true" exportAssertion="true"/>
                    <Path name="sympa" applicationId="default" authType="shibboleth" requireSession="true" exportAssertion="true" />
                </Host>
                <Host name="lists.virginia.edu" applicationId="sympa-lists">
                    <Path name="secure" applicationId="sympa-lists" authType="shibboleth" requireSession="true" exportAssertion="true"/>
                    <Path name="sympa" applicationId="sympa-lists" authType="shibboleth" requireSession="true" exportAssertion="true" />
                </Host>
[...]
  <Application id="sympa"
                     providerId="https://servername1.mail.virginia.edu/sympa"
                     homeURL="https://servername1.mail.virginia.edu/sympa">
            <Sessions handlerURL="/Shibboleth.sso/incommon"
                      handlerSSL="true"
                      cookieProps="; path=/sympa; secure"
                      checkAddress="false"
                      lifetime="7200" timeout="3600" />
        </Application>
[...] 
<Application id="sympa-lists"
                     providerId="https://servername2.virginia.edu/sympa"
                     homeURL="https://servername2.virginia.edu/sympa/sso_login/incommon">
            <Sessions handlerURL="/Shibboleth.sso/incommon"
                      handlerSSL="true"
                      cookieProps="; path=/sympa; secure"
                      checkAddress="false"
                      lifetime="7200" timeout="3600"/>
        </Application>

auth.conf::
generic_sso
  service_name          NetBadge
  service_id            incommon
  http_header_prefix    HTTP_SHIB
  email_http_header     REMOTE_USER

Both Sympa robots are configured as https virtual hosts in a single wild card host entry

default-ssl::
<VirtualHost *:443>
        ServerName servername1.mail.virginia.edu
        DocumentRoot /var/www-ssl
[..]

<Location /sympa/sso_login/incommon>
   AuthType shibboleth
   ShibRequireSession On
   require valid-user
  AddHandler fcgi-script .fcgi
#ShibExportAssertion on
#ShibApplicationID sympa-lists
</Location>
</Virtualhost>

The Shibboleth login on servername1.mail.virginia.edu works just fine, servername2.virginia.edu however doesn't receive and REMOTE_USER info.