0

I've been developing a Symfony app (learning Symfony with the goal of replacing an existing "old school" PHP script with it) and am having an issue with putting it "behind" our Shibboleth authentication.

Why do that? For this app I need $_SERVER['REMOTE_USER']. The app doesn't have local accounts, the user doesn't log into the app, but, like many resources, we protect them with some form of authentication.

I have two sites - virtual hosts running on the same physical server. (CentOS 7). The first site has the following in its .htaccess file:

authtype shibboleth
ShibRequestSetting requireSession 1
require valid-user

I have a "phpinfo.php" file in there, too, and can run that script and, after the Shibboleth authentication step, get the output which includes the correct value of REMOTE_USER.

The other virtual host is set up as a Symfony 3.1 app. I've added those three lines to the top of its ".htaccess" file - but after going through the Shibboleth authentication step, the browser gets into a loop and goes no farther. (In Chrome, the 'favicon' is replaced with a looping arrow, and it never stops turning.)

If I hit and then view the source of this still-empty page, I see the following error message:

Error Message: Error decoding authentication request message

I'm not sure how to start to resolve this issue, and was hoping that someone has seen this and knows how to help.

Thanks.

Best, Stephen

Stephen Spencer
  • 1
  • 1
  • Almost certainly a redirect loop. I changed the DocumentRoot of the virtual host - /var/www/vhost/candy - and put the Shibboleth-specific .htaccess file there. The Symfony folder resides in /var/www/vhost/candy/bar and if I point my browser at 'candy/bar/web/' I go through the Shibboleth step and then on to the Symfony app. – Stephen Spencer Oct 12 '16 at 22:21

1 Answers1

0

If I understand well, you are trying to make the Service Provider part in Symfony and you already have an IDP working with Shibboleth.

In my case I had also a similar problem and it was because after the Assertion the apache SP was returning to the root URL. I learnt after reading a lot of documentation that if this is not set correctly you can add an attribute in the shibbolet2.xml configuration called homeURL:

 <ApplicationDefaults entityID="https://sso/saml2/idp/metadata.php"

    REMOTE_USER="mail"

    homeURL="https://symfonyApp/redirect/after/login">

Try it out and restart the shib daemon: /etc/init.d/shibd restart

It may be another as well. But it sounds to me that there is some misconfiguration in your SP side.

Martin Fasani
  • 825
  • 7
  • 20