[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: 403 Forbidden Issue
From: Chris Lopez via users <users () shibboleth ! net>
Date: 2022-01-25 23:01:26
Message-ID: CAHftzFDRhEKuRrGmFZWGsw2pAA2ocSS2tuZGu-Vo4V1522UWrA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Nate...
Nope... no additional ACL configs here:
Note: /Status is open right now just for us to debug...
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="1800">
<OutOfProcess
tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<ApplicationDefaults entityID="https://mygw.test.gwu.edu/shibboleth"
REMOTE_USER="gwid email"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="https"
redirectLimit="exact">
<SSO entityID="https://sts.windows.net/xxxxxxxx
-xxxx-xxxx-xxxx-xxxxxxxx/">
SAML2
</SSO>
<Logout>Local</Logout>
<!-- <Logout>SAML2 Local</Logout> -->
<LogoutInitiator type="Admin" Location="/Logout/Admin"
acl="127.0.0.1 ::1" />
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" />
<!-- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-->
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="UWS-CFADMINS@hermes.gwu.edu"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" path="mygwtest_azure_idp.xml"/>
<MetadataProvider type="XML" path="mygwtest_google_idp.xml"/>
<AttributeExtractor type="XML" validate="true"
reloadChanges="false" path="attribute-map.xml"/>
<AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<ApplicationOverride id="gwdar" entityID="
https://gwdar.test.gwu.edu/shibboleth"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
Thanks
Pez
On Tue, Jan 25, 2022 at 5:50 PM Nate Klingenstein <ndk@sudonym.me> wrote:
> Pez,
>
> I don't see anything suspicious there(or in shib.conf, which is mostly
> redundant) either. What's the Apache error log say? Do you have any
> access control requirements specified in shibboleth2.xml?
>
> To help any further, I'd have to get deeper into the environment itself,
> but I don't see anything obviously wrong here. I hope someone else on the
> list does.
>
> Apologies,
> Nate
>
> On Tue, Jan 25, 2022 at 3:42 PM Chris Lopez <pez@gwu.edu> wrote:
>
> > Nate,
> >
> > There are no htaccess files. Here is the VH config for this domain:
> >
> > <VirtualHost *:443>
> >
> > ServerName gwdar.test.gwu.edu
> >
> >
> > ## Vhost docroot
> >
> > DocumentRoot "/docs/gwdar"
> >
> >
> > ## Directories, there should at least be a declaration for /docs/gwdar
> >
> >
> > <Directory "/docs/gwdar">
> >
> > Options -Indexes +FollowSymLinks
> >
> > AllowOverride None
> >
> > Require all granted
> >
> > DirectoryIndex index.cfm default.cfm index.html index.html.var
> > index.shtml
> >
> > </Directory>
> >
> >
> > <Directory "/docs/gwdar/cgi">
> >
> > AllowOverride None
> >
> > Require all granted
> >
> > SSLOptions +StdEnvVars
> >
> > </Directory>
> >
> >
> > ## Logging
> >
> > ErrorLog "/var/log/httpd/test_gwdar_error_ssl.log"
> >
> > ServerSignature Off
> >
> > CustomLog "/var/log/httpd/test_gwdar_access_ssl.log" combined
> >
> > ErrorDocument 403 /mod/errors/noaccess.cfm
> >
> > ErrorDocument 404 /mod/errors/notfound.cfm
> >
> > ErrorDocument 503 /mod/errors/servererror.html
> >
> > ## Rewrite rules
> >
> > RewriteEngine On
> >
> >
> > RewriteRule ^(.*/)?\.git+ - [R=404]
> >
> >
> > RewriteCond %{HTTP_HOST} !^gwdar.test.gwu.edu$ [NC]
> >
> > RewriteRule ^(.*)$ https://gwdar.test.gwu.edu/$1 [R=302]
> >
> >
> > ## Script alias directives
> >
> > ScriptAlias /cgi/ "/docs/gwdar/cgi/"
> >
> > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > downgrade-1.0 force-response-1.0
> >
> >
> > ## SSL directives
> >
> > SSLEngine on
> >
> > SSLCertificateFile "/etc/pki/tls/certs/mygwtstcfn2.es.gwu.edu.cer"
> >
> > SSLCertificateKeyFile
> > "/etc/pki/tls/private/mygwtstcfn2.es.gwu.edu.key"
> >
> > SSLCertificateChainFile "/etc/pki/tls/certs/IncommonCA.cer"
> >
> >
> > ## Custom fragment
> >
> > ## Shibboleth Configurations
> >
> > <Location /Shibboleth.sso>
> >
> > Require all granted
> >
> > SetHandler shib
> >
> > </Location>
> >
> >
> > <Location /secure/>
> >
> > AuthType shibboleth
> >
> > ShibRequestSetting requireSession 1
> >
> > ShibRequestSetting entityID https://sts.windows.net/xxxxxxxx-xxxx
> > -xxxx-xxxx-xxxxxxxx/
> >
> > require shib-session
> >
> > </Location>
> >
> > Thanks
> > Pez
> >
> > On Tue, Jan 25, 2022 at 5:14 PM Nate Klingenstein <ndk@sudonym.me> wrote:
> >
> > > Pez,
> > >
> > > I don't see anything immediately wrong with the configuration there.
> > > The trailing slash shouldn't matter. Do you have any overriding
> > > directives(like Directory blocks or .htaccess files) elsewhere in Apache's
> > > configuration?
> > >
> > > It's going to take some digging, but I think this is almost certainly an
> > > Apache configuration issue.
> > >
> > > Hope this helps, and I can understand why you're scratching your heads,
> > > Nate
> > >
> > > On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <pez@gwu.edu> wrote:
> > >
> > > > Nate,
> > > >
> > > > Yes it is an Apache 403 error.
> > > >
> > > > I followed the documentation online as well as the examples that came
> > > > with shibboleth for Apache 2.4
> > > >
> > > > These are the configurations inside the apache virtualhost configs.
> > > >
> > > > NOTE 1: I attempted configurations with and without a trailing slash
> > > > after the /secure Location.
> > > > NOTE 2: I have X'd out the entity id
> > > >
> > > >
> > > > <Location /Shibboleth.sso>
> > > >
> > > > Require all granted
> > > >
> > > > SetHandler shib
> > > >
> > > > </Location>
> > > >
> > > > <Location /secure/>
> > > >
> > > > AuthType shibboleth
> > > >
> > > > ShibRequestSetting requireSession 1
> > > >
> > > > ShibRequestSetting entityID
> > > > https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
> > > >
> > > > require shib-session
> > > >
> > > > </Location>
> > > >
> > > > Thanks
> > > > Chris
> > > >
> > > >
> > > > On Tue, Jan 25, 2022 at 3:51 PM Nate Klingenstein <ndk@sudonym.me>
> > > > wrote:
> > > >
> > > > > Chris,
> > > > >
> > > > > Making the assumption that you're getting the 403 from Apache, the
> > > > > authorization directives changed radically between versions 2.2 and 2.4.
> > > > > Check the Apache settings that you have protecting that location to make
> > > > > sure they match the OOTB configuration shipped with 3.3.
> > > > >
> > > > > If that all looks normal, we'll need more details.
> > > > >
> > > > > Take care,
> > > > > Nate
> > > > >
> > > > >
> > > > > On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users <
> > > > > users@shibboleth.net> wrote:
> > > > >
> > > > > > I was previously setup in a environment with coldfusion 11, apache
> > > > > > 2.2 and Shibboleth SP 2.0, and we had the environment working perfectly.
> > > > > >
> > > > > > We have recently setup a new environment with coldfusion 2018, apache
> > > > > > 2.4 and Shibboleth SP 3.0. We have all of our configurations (both
> > > > > > shibboleth, and apache) in place as they should be. When attempting to
> > > > > > test, the user gets routed to authenticate (as it should), and the
> > > > > > authentication process is successful (as it should). After \
> > > > > > authentication, it routes to /secure where it then shows a 403 Forbidden \
> > > > > > message.
> > > > > > I noticed that it adds a slash at the end (/secure/), and thought
> > > > > > that might be a problem, however, I don't believe that is the issue as \
> > > > > > (#1) the old environment behaves the same way and (#2) I added trailing
> > > > > > slashes in the Location /secure/ settings as well. This had no effect,
> > > > > > leading me to believe that isn't the issue.
> > > > > >
> > > > > > I have verified by going to /Shibboleth.sso/Sessions, checking
> > > > > > transaction and shib logs, as well as using Chrome Developer Tools >
> > > > > > Network > cookies, that a session indeed has been created, however the
> > > > > > /secure Location is still throwing a 403 Forbidden.
> > > > > >
> > > > > > Our Identity guy and myself are banging our heads against the wall on
> > > > > > this one... Please Help !!
> > > > > >
> > > > > > Thanks
> > > > > > Pez
> > > > > > --
> > > > > > For Consortium Member technical support, see
> > > > > > https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> > > > > > To unsubscribe from this list send an email to
> > > > > > users-unsubscribe@shibboleth.net
> > > > > >
> > > > >
[Attachment #5 (text/html)]
<div dir="ltr">Nate...<div><br></div><div>Nope... no additional ACL configs \
here:</div><div><br></div><div>Note: /Status is open right now just for us to \
debug...</div><div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><SPConfig \
xmlns="urn:mace:shibboleth:3.0:native:sp:config"</span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"</span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>clockSkew="1800"></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><OutOfProcess \
tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" \
/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><ApplicationDefaults \
entityID="<a href="https://mygw.test.gwu.edu/shibboleth">https://mygw.test.gwu.edu/shibboleth</a>"</span></p>
<p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span>REMOTE_USER="gwid \
email"</span></p> <p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"></span></p>
<p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Sessions \
lifetime="28800" timeout="3600" \
relayState="ss:mem"</span></p> <p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>checkAddress="false" handlerSSL="false" \
cookieProps="https"</span></p> <p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>redirectLimit="exact"></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><SSO \
entityID="<a href="https://sts.windows.net/xxxx">https://sts.windows.net/xxxx</a></span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span class="gmail-s1" \
style="font-variant-ligatures:no-common-ligatures">-xxxx-xxxx-xxxx-xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">/"></span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span>SAML2</span></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span></SSO></span></p> \
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span><Logout>Local</Logout></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><!--<span \
class="gmail-Apple-converted-space"> </span><Logout>SAML2 \
Local</Logout> --></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><LogoutInitiator \
type="Admin" Location="/Logout/Admin" acl="127.0.0.1 \
::1" /></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span></span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Handler \
type="MetadataGenerator" Location="/Metadata" \
signing="false"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Handler \
type="Status" Location="/Status" /></span></p> <p \
class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><!--<span \
class="gmail-Apple-converted-space"> </span><Handler \
type="Status" Location="/Status" acl="127.0.0.1 \
::1"/> --></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Handler \
type="Session" Location="/Session" \
showAttributeValues="true"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Handler \
type="DiscoveryFeed" Location="/DiscoFeed"/></span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span></Sessions></span></p> \
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><Errors \
supportContact="<a \
href="mailto:UWS-CFADMINS@hermes.gwu.edu">UWS-CFADMINS@hermes.gwu.edu</a>"</span></p>
<p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>logoLocation="/shibboleth-sp/logo.jpg"</span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span>styleSheet="/shibboleth-sp/main.css"/></span></p> <p \
class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><MetadataProvider \
type="XML" path="mygwtest_azure_idp.xml"/></span></p> <p \
class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><MetadataProvider \
type="XML" path="mygwtest_google_idp.xml"/></span></p> <p \
class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><AttributeExtractor \
type="XML" validate="true" reloadChanges="false" \
path="attribute-map.xml"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><AttributeResolver \
type="Query" subjectMatch="true"/></span></p> <p \
class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><CredentialResolver \
type="File" key="sp-key.pem" \
certificate="sp-cert.pem"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><ApplicationOverride \
id="gwdar" entityID="<a \
href="https://gwdar.test.gwu.edu/shibboleth">https://gwdar.test.gwu.edu/shibboleth</a>"/></span></p>
<p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> \
</span></ApplicationDefaults></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span></span></p> <p class="gmail-p1" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><SecurityPolicyProvider \
type="XML" validate="true" \
path="security-policy.xml"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span \
class="gmail-Apple-converted-space"> </span><ProtocolProvider \
type="XML" validate="true" reloadChanges="false" \
path="protocols.xml"/></span></p> <p class="gmail-p2" \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p> \
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></SPConfig></span></p></div><div><br></div><div>Thanks</div><div>Pez</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 5:50 PM \
Nate Klingenstein <<a href="mailto:ndk@sudonym.me">ndk@sudonym.me</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Pez,<div><br></div><div>I don't see anything suspicious there(or in \
shib.conf, which is mostly redundant) either. What's the Apache error log say? \
Do you have any access control requirements specified in \
shibboleth2.xml?</div><div><br></div><div>To help any further, I'd have to get \
deeper into the environment itself, but I don't see anything obviously wrong \
here. I hope someone else on the list \
does.</div><div><br></div><div>Apologies,</div><div>Nate</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 3:42 PM \
Chris Lopez <<a href="mailto:pez@gwu.edu" target="_blank">pez@gwu.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Nate,<div><br></div><div>There are no htaccess files. Here is the VH \
config for this domain:</div><div><br></div><div>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-s \
tretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><VirtualHost \
*:443></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ServerName <a \
href="http://gwdar.test.gwu.edu" target="_blank">gwdar.test.gwu.edu</a></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Vhost \
docroot</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>DocumentRoot \
"/docs/gwdar"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Directories, \
there should at least be a declaration for /docs/gwdar</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span><Directory \
"/docs/gwdar"></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>Options \
-Indexes +FollowSymLinks</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>AllowOverride \
None</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asi \
an:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>Require all \
granted</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>DirectoryIndex \
index.cfm default.cfm index.html index.html.var index.shtml</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Directory></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span><Directory \
"/docs/gwdar/cgi"></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>AllowOverride \
None</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asi \
an:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>Require all \
granted</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>SSLOptions \
+StdEnvVars</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Directory></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## \
Logging</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ErrorLog \
"/var/log/httpd/test_gwdar_error_ssl.log"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ServerSignature \
Off</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asia \
n:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>CustomLog \
"/var/log/httpd/test_gwdar_access_ssl.log" combined<span> \
</span></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ErrorDocument 403 \
/mod/errors/noaccess.cfm</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ErrorDocument 404 \
/mod/errors/notfound.cfm</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ErrorDocument 503 \
/mod/errors/servererror.html</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Rewrite \
rules</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-as \
ian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>RewriteEngine \
On</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>RewriteRule \
^(.*/)?\.git+ - [R=404]</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>RewriteCond \
%{HTTP_HOST} !^<a href="http://gwdar.test.gwu.edu" \
target="_blank">gwdar.test.gwu.edu</a>$ [NC]</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>RewriteRule ^(.*)$ \
<a href="https://gwdar.test.gwu.edu/$1" \
target="_blank">https://gwdar.test.gwu.edu/$1</a> [R=302]</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Script alias \
directives</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>ScriptAlias /cgi/ \
"/docs/gwdar/cgi/"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>SetEnvIf \
User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 \
force-response-1.0</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## SSL \
directives</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>SSLEngine \
on</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian \
:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>SSLCertificateFile<span> \
</span>"/etc/pki/tls/certs/mygwtstcfn2.es.gwu.edu.cer"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>SSLCertificateKeyFile <span> \
</span>"/etc/pki/tls/private/mygwtstcfn2.es.gwu.edu.key"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>SSLCertificateChainFile \
"/etc/pki/tls/certs/IncommonCA.cer"</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Custom \
fragment</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>## Shibboleth \
Configurations</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span><Location \
/Shibboleth.sso></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>Require all \
granted</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>SetHandler \
shib</span></p> <p style="margin:0px;font-variant-numeric:normal;font-variant-east-asi \
an:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Location></span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span><br></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-s \
tretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>AuthType \
shibboleth</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>ShibRequestSetting requireSession 1</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>ShibRequestSetting entityID <a href="https://sts.windows.net/xxxx" \
target="_blank">https://sts.windows.net/xxxx</a></span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">-</span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">-xxxx-</span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">-</span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">xxxx</span><span \
style="font-variant-ligatures:no-common-ligatures">/</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>require \
shib-session</span></p> <p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Location></span></p></div><div><br></div><div>Thanks</div><div>Pez</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 5:14 PM \
Nate Klingenstein <<a href="mailto:ndk@sudonym.me" \
target="_blank">ndk@sudonym.me</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Pez,<div><br></div><div>I don't \
see anything immediately wrong with the configuration there. The trailing slash \
shouldn't matter. Do you have any overriding directives(like Directory blocks \
or .htaccess files) elsewhere in Apache's \
configuration?</div><div><br></div><div>It's going to take some digging, but I \
think this is almost certainly an Apache configuration \
issue.</div><div><br></div><div>Hope this helps, and I can understand why you're \
scratching your heads,</div><div>Nate</div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 2:02 PM Chris Lopez <<a \
href="mailto:pez@gwu.edu" target="_blank">pez@gwu.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Nate,<div><br></div><div>Yes it is an Apache 403 \
error.</div><div><br></div><div>I followed the documentation online as well as the \
examples that came with shibboleth for Apache 2.4</div><div><br></div><div>These are \
the configurations inside the apache virtualhost configs. \
</div><div><br></div><div>NOTE 1: I attempted configurations with and without a \
trailing slash after the /secure Location.</div><div>NOTE 2: I have X'd out the \
entity id</div><div><br></div><div><div \
style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:Menlo,Monaco,"Courier \
New",monospace;font-size:12px;line-height:18px;white-space:pre-wrap"><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span><br></span></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span><Location \
/Shibboleth.sso></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>Require all \
granted</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>SetHandler \
shib</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asia \
n:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Location></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0);min-height:13px"><span \
style="font-variant-ligatures:no-common-ligatures"></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span><Location \
/secure/></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>AuthType \
shibboleth</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>ShibRequestSetting requireSession 1</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span>ShibRequestSetting entityID <a \
href="https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/" \
target="_blank">https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/</a></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> </span>require \
shib-session</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stre \
tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(33,255,6);background-color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><span> \
</span></Location></span></p> \
</div></div><div><br></div><div>Thanks</div><div>Chris</div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 3:51 PM \
Nate Klingenstein <<a href="mailto:ndk@sudonym.me" \
target="_blank">ndk@sudonym.me</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Chris,<div><br></div><div>Making \
the assumption that you're getting the 403 from Apache, the authorization \
directives changed radically between versions 2.2 and 2.4. Check the Apache \
settings that you have protecting that location to make sure they match the OOTB \
configuration shipped with 3.3.</div><div><br></div><div>If that all looks normal, \
we'll need more details.</div><div><br></div><div>Take \
care,</div><div>Nate</div><div><br></div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 1:43 PM Chris Lopez via users \
<<a href="mailto:users@shibboleth.net" \
target="_blank">users@shibboleth.net</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">I was previously setup in a \
environment with coldfusion 11, apache 2.2 and Shibboleth SP 2.0, and we had the \
environment working perfectly.<div><br></div><div>We have recently setup a new \
environment with coldfusion 2018, apache 2.4 and Shibboleth SP 3.0. We have all of \
our configurations (both shibboleth, and apache) in place as they should be. When \
attempting to test, the user gets routed to authenticate (as it should), and the \
authentication process is successful (as it should). After authentication, it routes \
to /secure where it then shows a 403 Forbidden message. </div><div><br></div><div>I \
noticed that it adds a slash at the end (/secure/), and thought that might be a \
problem, however, I don't believe that is the issue as (#1) the old environment \
behaves the same way and (#2) I added trailing slashes in the Location /secure/ \
settings as well. This had no effect, leading me to believe that isn't the issue. \
</div><div><br></div><div>I have verified by going to /Shibboleth.sso/Sessions, \
checking transaction and shib logs, as well as using Chrome Developer Tools > \
Network > cookies, that a session indeed has been created, however the /secure \
Location is still throwing a 403 Forbidden.</div><div><br></div><div>Our Identity guy \
and myself are banging our heads against the wall on this one... Please Help \
!!</div><div><br></div><div>Thanks</div><div>Pez</div></div>
-- <br>
For Consortium Member technical support, see <a \
href="https://shibboleth.atlassian.net/wiki/x/ZYEpPw" rel="noreferrer" \
target="_blank">https://shibboleth.atlassian.net/wiki/x/ZYEpPw</a><br> To unsubscribe \
from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a><br> </blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic