The mailing list for listmasters using Sympa

[Mickey Bowling <address@concealed>]

Hi Soji,

Thanks for taking a look at this.  The config files are below and the logs have been attached.

> How you have configured them? Please provide specific details of configuration for OKTA, Shibboleth SP, Apache HTTP Server and Sympa.  Please be specific — not just writing "I set it up exactly as the documents say”.

##############################################################################

OKTA: created a custom SAML 2.0 app integration and assigned the application to myself and some testers.  The settings were applied below and the remaining values were left as default.

##############################################################################

SSO Url: https://list.company.com/Shibboleth.sso/SAML2/POST

Audience URI: https://list.company.com/sympa

Name ID format: Persistent

Application username: Okta username

Attribute Statements: Name: emailAddress; Name format: Basic; Value: user.login

##############################################################################

##############################################################################

Sympa config: /etc/sympa/sympa.conf

##############################################################################

domain              list.company.com

listmaster          address@concealed

lang                en-US

db_type              PostgreSQL

db_name              sympa

db_host              localhost

db_port              5432

db_user              sympauser

db_passwd some_password$

syslog              LOCAL1

log_socket_type     unix

log_level           2

sendmail_aliases     /etc/sympa/sympa_transport

aliases_program      postmap

aliases_db_type      hash

##############################################################################

##############################################################################

Sympa Auth: /etc/sympa/auth.conf

##############################################################################

generic_sso

    service_name        Okta Login

    service_id          shibokta

    http_header_list    mail

    email_http_header   mail

    logout_url          https://company.okta.com

##############################################################################

##############################################################################

Shibboleth SP: /etc/httpd/conf.d/shib.conf

##############################################################################

ShibCompatValidUser Off

<Location /Shibboleth.sso>

  AuthType None

  Require all granted

</Location>

<IfModule mod_alias.c>

  <Location /shibboleth-sp>

    AuthType None

    Require all granted

  </Location>

  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css

</IfModule>

##############################################################################

##############################################################################

Sympa Httpd Config: /etc/httpd/conf.d/sympa.conf

##############################################################################

LoadModule alias_module modules/mod_alias.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

<IfModule mod_proxy_fcgi.c>

    <Location /sympa>

        SetHandler "proxy:unix:/var/run/sympa/wwsympa.socket|fcgi://localhost"

        Require all granted

    </Location>

</IfModule>

    <Location "/static-sympa/css">

        Require all granted

    </Location>

    <Location "/static-sympa/pictures">

        Require all granted

    </Location>

<Location /sympa/sso_login/shibokta>

    AuthType shibboleth

    ShibRequestSetting requireSession true

    ShibRequestSetting applicationId app-sympa

    require shibboleth

</Location>

<Location /static-sympa>

    Require all granted

</Location>

Alias /static-sympa/css /var/lib/sympa/css

Alias /static-sympa/pictures /var/lib/sympa/pictures

Alias /static-sympa /usr/share/sympa/static_content

RewriteEngine on

RewriteRule ^/?$ /sympa [R=301]

##############################################################################

##############################################################################

Apache Httpd Config: /etc/httpd/conf/httpd.conf

##############################################################################

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf

User apache

Group apache

ServerAdmin root@localhost

<Directory />

    AllowOverride none

    Require all denied

</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">

    AllowOverride None

    # Allow open access:

    Require all granted

</Directory>

<Directory "/var/www/html">

    Options Indexes FollowSymLinks

    AllowOverride None

    Require all granted

</Directory>

<IfModule dir_module>

    DirectoryIndex index.html

</IfModule>

<Files ".ht*">

    Require all denied

</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>

      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    </IfModule>

    CustomLog "logs/access_log" combined

</IfModule>

<IfModule alias_module>

    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

<Directory "/var/www/cgi-bin">

    AllowOverride None

    Options None

    Require all granted

</Directory>

<IfModule mime_module>

    TypesConfig /etc/mime.types

    AddType application/x-compress .Z

    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml

    AddOutputFilter INCLUDES .shtml

</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>

    MIMEMagicFile conf/magic

</IfModule>

EnableSendfile on

<IfModule mod_http2.c>

    Protocols h2 h2c http/1.1

</IfModule>

IncludeOptional conf.d/*.conf

<VirtualHost *:80>

ServerName list.company.com

ServerSignature Off

ErrorLog /var/log/httpd/redirect.error.log

LogLevel warn

RewriteEngine on

RewriteCond %{SERVER_NAME} =list.company.com

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

##############################################################################

##############################################################################

Shibboleth SP: /etc/shibboleth/shibboleth2.xml 

##############################################################################

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"

    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"

    clockSkew="180">

    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />

 

    <ApplicationDefaults entityID="https://list.company.com/sympa"

        REMOTE_USER="eppn subject-id pairwise-id persistent-id"

        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

       <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"

                  checkAddress="false" handlerSSL="true" cookieProps="https"

                  redirectLimit="exact">

        <SSO entityID="http://www.okta.com/xxxxxxxxxxxxxxxxxxxx"

                 discoveryProtocol="SAMLDS" discoveryURL="https://company.okta.com/app/company_sympasaml_1/xxxxxxxxxxxxxxxxxxxx/sso/saml">

              SAML2 SAML1

            </SSO>

            <Logout>SAML2 Local</Logout>

            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

        <Handler type="Status" Location="/Status"/>

            <Handler type="Session" Location="/Session" showAttributeValues="true"/>

            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

        </Sessions>

        <Errors supportContact="root@localhost"

            helpLocation="/about.html"

            styleSheet="/shibboleth-sp/main.css"/>

    <MetadataProvider type="XML" path="/etc/shibboleth/okta-metadata.xml">

        </MetadataProvider>

        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <CredentialResolver type="File" use="signing"

            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>

        <CredentialResolver type="File" use="encryption"

            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>

<!-- Configuring Shibboleth via https://www.sympa.community/manual/customize/shibboleth.html -->

        <ApplicationOverride id="app-sympa" entityID="https://list.company.com/sympa">

                <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerSSL="true" cookieProps="https" >

                        <SSO discoveryProtocol="SAMLDS" discoveryURL="https://company.okta.com/app/company_sympasaml_1/xxxxxxxxxxxxxxxxxxxx/sso/saml">

                        SAML2 SAML1

                        </SSO>          

                </Sessions>

        </ApplicationOverride>

    </ApplicationDefaults>   

    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

##############################################################################

##############################################################################

Shibboleth attribute-map.xml: /etc/shibboleth/attribute-map.xml

##############################################################################

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">

        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>

    </Attribute>

  

    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">

        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>

    </Attribute>

    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">

        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>

    </Attribute>

 

    <Attribute name="emailAddress" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="mail"/>

</Attributes>

##############################################################################

##############################################################################

Shibboleth attribute-policy.xml: /etc/shibboleth/attribute-policy.xml

##############################################################################

<AttributeFilterPolicyGroup

    xmlns="urn:mace:shibboleth:2.0:afp"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <PermitValueRule id="SympaUsers" xsi:type="ANY"/>

    <AttributeFilterPolicy>

        <PolicyRequirementRule xsi:type="ANY" />

        <AttributeRule attributeID="*" permitAny="true"/>

    </AttributeFilterPolicy>

</AttributeFilterPolicyGroup>

##############################################################################

> Please provide content of system logs for the software components above, _from when_ you clicked the login button _to when_ the home page was shown.  Sensitive information may be masked.

Logs attached as sympa.log and shibh.log

> Please show the modified configuration for coresponding components and the logs in the same period as above.

I have reverted the change so I am not locking down the entire page.  I can do this if needed but for now, I am only protecting the Okta login button.

> As the document shown at first says, Sympa should be provided user email address as user information.  How have you configured to get these information?

Okta is passing over emailAddress, our auth.conf file is configured to accept that as mail is how I am understanding this to work.

On Mon, Aug 12, 2024 at 6:05 PM IKEDA Soji <address@concealed> wrote:

Hi Mickey,

At first, for Sympa configuration, at least the following document should have been read:
https://www.sympa.community/manual/customize/shibboleth.html

For OKTA and Shibboleth SP, also please read the documents provided by each.

> 2024/08/09 2:23、Mickey Bowling <address@concealed>のメール:
>
> Our environment:
>
> OS: Amazon Linux 2
> Sympa 6.2.72
> Apache 2.4.61
> Shibboleth 3.4.1
>
> We are using Shibboleth as the SP for Sympa application.   Our IDP is OKTA.  I have configured the Sympa OKTA application and Shibboleth to work using SAML2.

How you have configured them? Please provide specific details of configuration for OKTA, Shibboleth SP, Apache HTTP Server and Sympa.  Please be specific — not just writing "I set it up exactly as the documents say”.

> At the moment I am able to initiate SP authentication (via a login button on Sympa) which takes me to OKTA to authenticate, then pass back over to Sympa and ends up on the home page, but not as the authenticated user. 

Please provide content of system logs for the software components above, _from when_ you clicked the login button _to when_ the home page was shown.  Sensitive information may be masked.

> I have also tried protecting the entire Sympa page by adding that as a protected directory.  Doing so redirects me to OKTA when I land on the Sympa page.   From there I am able to authenticate and it brings me back to Sympa landing page, but not as the authenticated user, but rather a non user.  If a user is not assigned the application in OKTA, then they immediately get a notification that they are not assigned the application.

Please show the modified configuration for coresponding components and the logs in the same period as above.

> Does this mean that Shibboleth is getting a valid session from OKTA and Sympa doesn't know how to process this session?

As the document shown at first says, Sympa should be provided user email address as user information.  How have you configured to get these information?


Regards,

— Soji

Attachment: shibd.log
Description: Binary data

Attachment: sympa.log
Description: Binary data