Search code examples
.htaccessapache2shibboleth

shib auth checker & htaccess process is not happening in shib 2.6 system

Currently we have SHIB 2.4 working system and We are upgrading it to SHIB 2.6.

We did the following steps for SHIB 2.6 upgrade: 1. Compiled SHIBD with all the needed dependencies and also checked the configuration by running SHIBD –t It displays “Overall configuration is loadable”.

  1. Then, We replaced the existing SHIBD 2.4 file with SHIBD 2.6 file(not sure this step is correct??)& added dependent libraries(like libsaml.so.,etc.).

  2. We can able to start shibd & Apache without any problems.

  3. We are running with apache 2.2.3 and we didn’t make any new configuration changes in below files · Shibboleth2.xml · Httpd.conf · Apache22.conf Problem:

  4. Not receiving shib attributes from shibd to our app(interface b/w client to shibd & IDP). From IDP to shibd we are getting attributes.
  5. On comparing the apache logs of SHIB2.4 & SHIB2.6 I found the below two entries are missing in SHIB 2.6 system: [debug] mod_apache.cpp(724): [client 10.00.00.00] shib_auth_checker(3464): ENTER, referer: https://xxx-shibbolethidp.xxxxx.com/idp3/pro file/SAML2/Redirect/SSO [debug] mod_apache.cpp(393): [client 10.xx.xx.xx] htaccess: a rule was successful, granting access, referer: https://xxx-shibbolethidp.xxxxxxx..com/idp3/profile/SAML2/Redirect/SSO

HTACCESS redirect and shib_auth_checker process is not happening. Can you guys please help us in finding what is causing this issue. Your suggestion/advice will help us a lot …

Thanks, Satheesh K

Solution

  • Shibboleth SP runs via httpd server, so there is a connector used as a interface between the two. The connector MOD_SHIB will have its own version. It will be based on which version of Apache you gave during initial building process of SP.

    I was using Apache httpd 2.4 v during building SP and I copied all the compiled binaries (shibd, *.so, other libs) to a environment (let's call this testbox) where SP 2.4 v is running with Apache 2.2.x and upgraded it by replacing the copied files (ignored the Apache).

    I missed any one of these:

    1. Upgrade Apache from 2.3v to 2.4v in the testbox or
    2. Build SP with Apache 2.3v

    So my problem was version mismatch of the connector mod_shib. So be sure in choosing Apache version during upgrade process of SP. Apache or SP will not throw any exact errors related to the connector, but the end to end communication will not work!