en - [en@sympa] Issue with Shibboleth integration

Subject: The mailing list for listmasters using Sympa

List archive

[en@sympa] Issue with Shibboleth integration

From: Jérôme SITZ <address@concealed>
To: "address@concealed" <address@concealed>
Subject: [en@sympa] Issue with Shibboleth integration
Date: Fri, 16 Jun 2023 10:15:06 +0000

Hello,

I’m new to the Sympa application. Sympa web interface is running with local identification, but I have issues with the Shibboleth integration.

Here my server configuration:

OS: Debian 12

Sympa: 6.2.70.

MariaDB: 10.11.3

Apache: 2.4.57-2 with mod_ssl

Shibboleth: libapache2-mod-shib 3.4.1 + shibboleth-sp-utils

Apache sympa.conf:

--------------

Alias /static-sympa /usr/share/sympa/static_content

Require all granted

</Directory>

Alias /css-sympa /var/lib/sympa/css

Require all granted

</Directory>

Alias /pictures-sympa /var/lib/sympa/pictures

Require all granted

</Directory>

SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"

Require all granted

</Location>

</IfModule>

---------------------

Apache shib.conf:

----------------------

ShibCompatValidUser Off

AuthType None

Require all granted

</Location>

AuthType None

Require all granted

</Location>

Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css

</IfModule>

-------------------------

Apache shib-sympa.conf:

--------------------------

AuthType shibboleth

ShibRequestSetting requireSession true

ShibRequestSetting applicationId app-sympa

require shibboleth

#require mail ~ @

</Location>

---------------------------

Sympa auth.conf:

---------------------------

# Authentication services for Sympa

generic_sso

service_name XX Login

service_id xxx_sympa

http_header_list mail

email_http_header mail

logout_url https://my-sympa-domain-name.com/Shibboleth.sso/Logout?return=https%3A%2F%2my-sympa-domain-name.com/wws

# Internal authentication by email and password

user_table

regexp .*

--------------------------

Shibboleth2.xml:

--------------------------

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"

xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"

clockSkew="180">

<ApplicationDefaults entityID=https://my-sympa-domain-name.com/shibboleth

REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"

checkAddress="false" handlerSSL="true" cookieProps="https"

redirectLimit="exact">

SAML2

</SSO>

<Logout>SAML2 Local</Logout>

</Sessions>

<!--

Allows overriding of error template information/filenames. You can

also add your own attributes with values that can be plugged into the

templates, e.g., helpLocation below.

-->

<Errors supportContact=address@concealed

helpLocation="/about.html"

styleSheet="/shibboleth-sp/main.css"/>

<CredentialResolver type="File" use="signing"

key="sp-key.pem" certificate="sp-cert.pem"/>

<CredentialResolver type="File" use="encryption"

key="sp-key.pem" certificate="sp-cert.pem"/>

</Sessions>

</ApplicationOverride>

</ApplicationDefaults>

</SPConfig>

----------------------------

Shibboleth Attribute-map.xml

---------------------------

Added these lines:

If I try to connect to our federation server via the web:

https://my-sympa-domain-name.com/shibboleth.sso/login

Here my output in the log files:

shibd.log:

-----------------------------

INFO Shibboleth.SessionCache [3] [default]: new session created: ID (_c1cb51c3b578b925823a375e655f8db9) IdP (http://my-adfs-federation-server.com/adfs/services/trust) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.xxx.xxx)

--------------------------------

transaction.log

-----------------------------

Shibboleth-TRANSACTION.AuthnRequest|||http:// my-adfs-federation-server.com /adfs/services/trust||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect||||||

Shibboleth-TRANSACTION.Login||_cc3e275ffbc017ea8674351ae3f8edbf|http:// my-adfs-federation-server.com /adfs/services/trust|_c0963053-0d16-4ae6-83be-56f0dab7cf02|urn:federation:authentication:windows|2023-06-16T11:27:20|mail(1)|address@concealed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0|10.231.4.199

----------------------------------

As you can see, the mail address is passed well, and the connection is successful between our ADFS server and the shibboleth request on the Sympa server.

But if I try to authenticate via Sympa (our company login button):

https://my-sympa-domain-name.com/wws/sso_login/xxx_sympa/init

I receive this error in the sympa.log:

--------------------------------

2023-06-16T11:37:31.402071+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: ORIG_PATH_INFO=

2023-06-16T11:37:31.403650+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: ORIG_SCRIPT_NAME=/wws

2023-06-16T11:37:31.403701+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: PATH_INFO=

2023-06-16T11:37:31.403733+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: QUERY_STRING=

2023-06-16T11:37:31.403764+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: REMOTE_ADDR=xxx.xxx.xxx.xxx

2023-06-16T11:37:31.403796+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: REMOTE_HOST=

2023-06-16T11:37:31.403824+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: REQUEST_METHOD=POST

2023-06-16T11:37:31.403856+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: SCRIPT_NAME=/wws

2023-06-16T11:37:31.403890+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: SERVER_NAME=my-sympa-domain-name.com

2023-06-16T11:37:31.403927+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: SERVER_PORT=443

2023-06-16T11:37:31.403962+02:00 my-sympa-domain-name.com wwsympa[27603]: debug main:: SYMPA_DOMAIN= domain-name.com

2023-06-16T11:37:31.404594+02:00 my-sympa-domain-name.com wwsympa[27603]: debug Sympa::WWW::Session::new(domain-name.com, 02402992845851, sso_login)

2023-06-16T11:37:31.413100+02:00 my-sympa-domain-name.com wwsympa[27603]: info main::do_sso_login(xxx_sympa) [robot domain-name.com] [session 02402992845851] [client xxx.xxx.xxx.xxx]

2023-06-16T11:37:31.413337+02:00 my-sympa-domain-name.com wwsympa[27603]: info main::do_sso_login() [robot domain-name.com] [session 02402992845851] [client 10.231.4.199] POST request processing

2023-06-16T11:37:31.414782+02:00 my-sympa-domain-name.com wwsympa[27603]: info main::do_sso_login() [robot domain-name.com] [session 02402992845851] [client 10.231.4.199] Redirect user to https://my-sympa-domain-name.com /wws/sso_login/xxx_sympa/init

2023-06-16T11:37:31.414985+02:00 my-sympa-domain-name.com wwsympa[27603]: debug Sympa::WWW::Session::set_cookie(Sympa::WWW::Session, localhost, session, 1)

2023-06-16T11:37:31.415631+02:00 my-sympa-domain-name.com wwsympa[27603]: debug Sympa::WWW::Session::store()

2023-06-16T11:37:31.443004+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: ORIG_PATH_INFO=/sso_login/xxx_sympa/init

2023-06-16T11:37:31.443090+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: ORIG_SCRIPT_NAME=/wws

2023-06-16T11:37:31.443127+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: PATH_INFO=/sso_login/xxx_sympa/init

2023-06-16T11:37:31.443167+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: QUERY_STRING=

2023-06-16T11:37:31.443197+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: REMOTE_ADDR=xxx.xxx.xxx.xxx

2023-06-16T11:37:31.443226+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: REMOTE_HOST=

2023-06-16T11:37:31.443255+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: REQUEST_METHOD=GET

2023-06-16T11:37:31.443284+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: SCRIPT_NAME=/wws

2023-06-16T11:37:31.443313+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: SERVER_NAME=my-sympa-domain-name.com

2023-06-16T11:37:31.443353+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: SERVER_PORT=443

2023-06-16T11:37:31.443387+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main:: SYMPA_DOMAIN= domain-name.com

2023-06-16T11:37:31.443973+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main::_split_params() [robot domain-name.com] [client xxx.xxx.xxx.xxx] Incoming parameter: auth_service_name=xxx_sympa

2023-06-16T11:37:31.444053+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main::_split_params() [robot domain-name.com] [client xxx.xxx.xxx.xxx] Incoming parameter: subaction=init

2023-06-16T11:37:31.444089+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main::_split_params() [robot domain-name.com] [client xxx.xxx.xxx.xxx] Incoming parameter: email=

2023-06-16T11:37:31.444149+02:00 my-sympa-domain-name.com wwsympa[27600]: debug main::_split_params() [robot domain-name.com] [client xxx.xxx.xxx.xxx] Incoming parameter: ticket=

2023-06-16T11:37:31.444734+02:00 my-sympa-domain-name.com wwsympa[27600]: debug Sympa::WWW::Session::new(domain-name.com, 02402992845851, sso_login)

2023-06-16T11:37:31.454592+02:00 my-sympa-domain-name.com wwsympa[27600]: info main::do_sso_login(xxx_sympa) [robot domain-name.com] [session 02402992845851] [client xxx.xxx.xxx.xxx]

2023-06-16T11:37:31.538022+02:00 my-sympa-domain-name.com wwsympa[27600]: notice Sympa::Spindle::ProcessTemplate::_twist() Processing Sympa::Message::Template address@concealed,8087; address@concealed; address@concealed; recipients=ARRAY; address@concealed; template=listmaster_notification; type=web_intern_error; action="sso_login

2023-06-16T11:37:31.539975+02:00 my-sympa-domain-name.com wwsympa[27600]: notice Sympa::Spool::Outgoing::store() Message Sympa::Message::Template address@concealed,8087 is stored into bulk spool as address@concealed,27600,3311

2023-06-16T11:37:31.540162+02:00 my-sympa-domain-name.com wwsympa[27600]: err main::#1557 > main::do_sso_login#3601 [robot domain-name.com] [session 02402992845851] [client xxx.xxx.xxx.xxx] User could not be identified, no mail HTTP header set

2023-06-16T11:37:31.546184+02:00 my-sympa-domain-name.com wwsympa[27600]: info main::do_home() [robot domain-name.com] [session 02402992845851] [client xxx.xxx.xxx.xxx]

2023-06-16T11:37:31.546610+02:00 my-sympa-domain-name.com wwsympa[27600]: debug Sympa::WWW::Session::store()

2023-06-16T11:37:31.547995+02:00 my-sympa-domain-name.com wwsympa[27600]: debug Sympa::WWW::Session::set_cookie(Sympa::WWW::Session, localhost, , 1)

2023-06-16T11:37:32.407966+02:00 my-sympa-domain-name.com bulk[27592]: notice Sympa::Spindle::ProcessOutgoing::_twist() Start sending message Sympa::Message <1.5.1686908251.1686908251.538685.sympa@ domain-name.com _s,27600,3311/s> to domain-name.com (priority 1) (starting 1 seconds after scheduled expedition date)

2023-06-16T11:37:32.711519+02:00 my-sympa-domain-name.com bulk[27592]: notice Sympa::Mailer::store() Done sending message Sympa::Message address@concealed,27600,3311/s for domain-name.com (priority 1) in 1 seconds since scheduled expedition date

In other words, there is no direct interaction with shibboleth, no “mail” attribute is transferred between Sympa-Shibboleth. I have nothing in the shibboleth logs.

What do I wrong?

Thank you for your help.

Kind regards

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[en@sympa] Issue with Shibboleth integration, Jérôme SITZ, 06/16/2023
- Re: [en@sympa] Issue with Shibboleth integration, IKEDA Soji, 06/18/2023
  - RE: [en@sympa] Issue with Shibboleth integration, Jérôme SITZ, 06/19/2023

List archive

[en@sympa] Issue with Shibboleth integration