Infinite Redirect

  • Resolved Perry

    (@daawesomep)


    1 year, 3 months ago

    Hello,

    I am trying to setup the plugin behind a reverse proxy with Apache. When clicking Login with Shibboleth I get into a redirect loop where the IdP correctly authenticates but seems to redirect back to the URL that initiates a new IdP authorization request. It seems that maybe the plugin isn’t properly detecting the headers.

    Configuration (redacted with example.com):

    • Login URL: https://example.com/Shibboleth.sso/Login
    • Logout URL: https://example.com/Shibboleth.sso/Logout
    • Attribute Access: HTTP Headers
    • Spoof Key: blank (will configure once it works without it)

    Relevant Apache config:

       <Location />
     AuthType Shibboleth
     ShibRequestSetting requireSession false
     ShibUseHeaders On
     Require shibboleth
  </Location>

   <Location /Shibboleth.sso>
     SetHandler shib
     ShibUseHeaders On
     AuthType None
     Require all granted
   </Location>

    I placed a PHP file in the root of the server with:

    <?php
echo '<pre>';
var_dump($_SERVER, $_ENV);
echo '</pre>';

    When not logged in:

    array(67) {
  ["HTTP_AUTHORIZATION"]=>
  string(0) ""
  ["HTTP_HOST"]=>
  string(23) "example.com"
  ["HTTP_USER_AGENT"]=>
  string(70) "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
  ["HTTP_ACCEPT"]=>
  string(85) "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
  ["HTTP_ACCEPT_LANGUAGE"]=>
  string(14) "en-US,en;q=0.5"
  ["HTTP_ACCEPT_ENCODING"]=>
  string(17) "gzip, deflate, br"
  ["HTTP_DNT"]=>
  string(1) "1"
  ["HTTP_UPGRADE_INSECURE_REQUESTS"]=>
  string(1) "1"
  ["HTTP_SEC_FETCH_DEST"]=>
  string(8) "document"
  ["HTTP_SEC_FETCH_MODE"]=>
  string(8) "navigate"
  ["HTTP_SEC_FETCH_SITE"]=>
  string(4) "none"
  ["HTTP_SEC_FETCH_USER"]=>
  string(2) "?1"
  ["HTTP_SHIB_COOKIE_NAME"]=>
  string(0) ""
  ["HTTP_SHIB_SESSION_ID"]=>
  string(0) ""
  ["HTTP_SHIB_SESSION_INDEX"]=>
  string(0) ""
  ["HTTP_SHIB_SESSION_EXPIRES"]=>
  string(0) ""
  ["HTTP_SHIB_SESSION_INACTIVITY"]=>
  string(0) ""
  ["HTTP_SHIB_IDENTITY_PROVIDER"]=>
  string(0) ""
  ["HTTP_SHIB_AUTHENTICATION_METHOD"]=>
  string(0) ""
  ["HTTP_SHIB_AUTHENTICATION_INSTANT"]=>
  string(0) ""
  ["HTTP_SHIB_AUTHNCONTEXT_CLASS"]=>
  string(0) ""
  ["HTTP_SHIB_AUTHNCONTEXT_DECL"]=>
  string(0) ""
  ["HTTP_SHIB_ASSERTION_COUNT"]=>
  string(0) ""
  ["HTTP_SHIB_HANDLER"]=>
  string(46) "https://example.com/Shibboleth.sso"
  ["HTTP_SUBJECT_ID"]=>
  string(0) ""
  ["HTTP_PAIRWISE_ID"]=>
  string(0) ""
  ["HTTP_EPPN"]=>
  string(0) ""
  ["HTTP_AFFILIATION"]=>
  string(0) ""
  ["HTTP_ENTITLEMENT"]=>
  string(0) ""
  ["HTTP_PERSISTENT_ID"]=>
  string(0) ""
  ["HTTP_MEMBER"]=>
  string(0) ""
  ["HTTP_CN"]=>
  string(0) ""
  ["HTTP_SN"]=>
  string(0) ""
  ["HTTP_GIVENNAME"]=>
  string(0) ""
  ["HTTP_DISPLAYNAME"]=>
  string(0) ""
  ["HTTP_MAIL"]=>
  string(0) ""
  ["HTTP_SHIB_APPLICATION_ID"]=>
  string(0) ""
  ["HTTP_X_FORWARDED_PROTO"]=>
  string(5) "https"
  ["HTTP_X_FORWARDED_PORT"]=>
  string(3) "443"
  ["HTTP_X_FORWARDED_HOST"]=>
  string(23) "example.com"
  ["HTTP_X_FORWARDED_SERVER"]=>
  string(23) "example.com"
  ["HTTP_CONNECTION"]=>
  string(5) "close"
  ["PATH"]=>
  string(60) "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ["SERVER_SIGNATURE"]=>
  string(84) "
Apache/REDACTED Server at example.com Port 80

"
  ["SERVER_SOFTWARE"]=>
  string(22) "Apache/REDACTED"
  ["SERVER_NAME"]=>
  string(23) "example.com"
  ["SERVER_ADDR"]=>
  string(9) "REDACTED"
  ["SERVER_PORT"]=>
  string(2) "80"
  ["REMOTE_ADDR"]=>
  string(13) "REDACTED"
  ["DOCUMENT_ROOT"]=>
  string(13) "/var/www/html"
  ["REQUEST_SCHEME"]=>
  string(4) "http"
  ["CONTEXT_PREFIX"]=>
  string(0) ""
  ["CONTEXT_DOCUMENT_ROOT"]=>
  string(13) "/var/www/html"
  ["SERVER_ADMIN"]=>
  string(19) "webmaster@localhost"
  ["SCRIPT_FILENAME"]=>
  string(22) "/var/www/html/REDACTED"
  ["REMOTE_PORT"]=>
  string(5) "REDACTED"
  ["GATEWAY_INTERFACE"]=>
  string(7) "CGI/1.1"
  ["SERVER_PROTOCOL"]=>
  string(8) "HTTP/1.1"
  ["REQUEST_METHOD"]=>
  string(3) "GET"
  ["QUERY_STRING"]=>
  string(0) ""
  ["REQUEST_URI"]=>
  string(9) "/REDACTED"
  ["SCRIPT_NAME"]=>
  string(9) "/REDACTED"
  ["PHP_SELF"]=>
  string(9) "/REDACTED"
  ["REQUEST_TIME_FLOAT"]=>
  float(1692393231.115434)
  ["REQUEST_TIME"]=>
  int(1692393231)
  ["argv"]=>
  array(0) {
  }
  ["argc"]=>
  int(0)
}
array(42) {
  ["HOSTNAME"]=>
  string(36) "example.com"
  ["PHP_VERSION"]=>
  string(6) "8.0.29"
  ["APACHE_CONFDIR"]=>
  string(12) "/etc/apache2"
  ["PHP_INI_DIR"]=>
  string(18) "/usr/local/etc/php"
  ["GPG_KEYS"]=>
  string(122) "REDACTED"
  ["PHP_LDFLAGS"]=>
  string(12) "-Wl,-O1 -pie"
  ["PWD"]=>
  string(13) "/var/www/html"
  ["APACHE_LOG_DIR"]=>
  string(16) "/var/log/apache2"
  ["LANG"]=>
  string(1) "C"
  ["PHP_SHA256"]=>
  string(64) "REDACTED"
  ["APACHE_PID_FILE"]=>
  string(28) "/var/run/apache2/apache2.pid"
  ["PHPIZE_DEPS"]=>
  string(76) "autoconf 		dpkg-dev 		file 		g++ 		gcc 		libc-dev 		make 		pkg-config 		re2c"
  ["TERM"]=>
  string(5) "xterm"
  ["PHP_URL"]=>
  string(51) "https://www.php.net/distributions/php-8.0.29.tar.xz"
  ["APACHE_RUN_GROUP"]=>
  string(8) "www-data"
  ["APACHE_LOCK_DIR"]=>
  string(17) "/var/lock/apache2"
  ["SHLVL"]=>
  string(1) "0"
  ["PHP_CFLAGS"]=>
  string(83) "-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
  ["APACHE_RUN_DIR"]=>
  string(16) "/var/run/apache2"
  ["APACHE_ENVVARS"]=>
  string(20) "/etc/apache2/envvars"
  ["APACHE_RUN_USER"]=>
  string(8) "www-data"
  ["PATH"]=>
  string(60) "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ["PHP_ASC_URL"]=>
  string(55) "https://www.php.net/distributions/php-8.0.29.tar.xz.asc"
  ["PHP_CPPFLAGS"]=>
  string(83) "-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
}

    When I am logged in:

    array(68) {
  ["HTTP_AUTHORIZATION"]=>
  string(0) ""
  ["HTTP_HOST"]=>
  string(23) "example.com"
  ["HTTP_USER_AGENT"]=>
  string(70) "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
  ["HTTP_ACCEPT"]=>
  string(85) "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
  ["HTTP_ACCEPT_LANGUAGE"]=>
  string(14) "en-US,en;q=0.5"
  ["HTTP_ACCEPT_ENCODING"]=>
  string(17) "gzip, deflate, br"
  ["HTTP_DNT"]=>
  string(1) "1"
  ["HTTP_COOKIE"]=>
  string(933) "clive-visitor-tid-REDACTED=REDACTED; wordpress_test_cookie=WP%20Cookie%20check; _opensaml_req_ss%3AREDACTED=_REDACTED; _opensaml_req_ss%3Amem%3AREDACTED=_REDACTED; _opensaml_req_ss%3AREDACTED=_REDACTED; _opensaml_req_ss%3AREDACTED=_REDACTED; wp_lang=en_US; _shibsession_REDACTED=_REDACTED; _opensaml_req_ss%3AREDACTED=_REDACTED"
  ["HTTP_UPGRADE_INSECURE_REQUESTS"]=>
  string(1) "1"
  ["HTTP_SEC_FETCH_DEST"]=>
  string(8) "document"
  ["HTTP_SEC_FETCH_MODE"]=>
  string(8) "navigate"
  ["HTTP_SEC_FETCH_SITE"]=>
  string(4) "none"
  ["HTTP_SEC_FETCH_USER"]=>
  string(2) "?1"
  ["HTTP_SHIB_COOKIE_NAME"]=>
  string(0) ""
  ["HTTP_SHIB_SESSION_ID"]=>
  string(33) "_REDACTED"
  ["HTTP_SHIB_SESSION_INDEX"]=>
  string(33) "_REDACTED"
  ["HTTP_SHIB_SESSION_EXPIRES"]=>
  string(10) "REDACTED"
  ["HTTP_SHIB_SESSION_INACTIVITY"]=>
  string(10) "REDACTED"
  ["HTTP_SHIB_IDENTITY_PROVIDER"]=>
  string(36) "https://REDACTED/idp/shibboleth"
  ["HTTP_SHIB_AUTHENTICATION_METHOD"]=>
  string(25) "https://REDACTED/duo"
  ["HTTP_SHIB_AUTHENTICATION_INSTANT"]=>
  string(24) "REDACTED"
  ["HTTP_SHIB_AUTHNCONTEXT_CLASS"]=>
  string(25) "https://REDACTED/duo"
  ["HTTP_SHIB_AUTHNCONTEXT_DECL"]=>
  string(0) ""
  ["HTTP_SHIB_ASSERTION_COUNT"]=>
  string(0) ""
  ["HTTP_SHIB_HANDLER"]=>
  string(46) "https://example.com/Shibboleth.sso"
  ["HTTP_SUBJECT_ID"]=>
  string(0) ""
  ["HTTP_PAIRWISE_ID"]=>
  string(0) ""
  ["HTTP_EPPN"]=>
  string(22) "REDACTED"
  ["HTTP_AFFILIATION"]=>
  string(62) "REDACTED@REDACTED;REDACTED@REDACTED;REDACTED@REDACTED"
  ["HTTP_ENTITLEMENT"]=>
  string(0) ""
  ["HTTP_PERSISTENT_ID"]=>
  string(0) ""
  ["HTTP_MEMBER"]=>
  string(0) ""
  ["HTTP_CN"]=>
  string(12) "REDACTED REDACTED"
  ["HTTP_SN"]=>
  string(6) "REDACTED"
  ["HTTP_GIVENNAME"]=>
  string(5) "REDACTED"
  ["HTTP_DISPLAYNAME"]=>
  string(12) "REDACTED REDACTED"
  ["HTTP_MAIL"]=>
  string(22) "REDACTED"
  ["HTTP_SHIB_APPLICATION_ID"]=>
  string(7) "default"
  ["HTTP_X_FORWARDED_PROTO"]=>
  string(5) "https"
  ["HTTP_X_FORWARDED_PORT"]=>
  string(3) "443"
  ["HTTP_X_FORWARDED_HOST"]=>
  string(23) "example.com"
  ["HTTP_X_FORWARDED_SERVER"]=>
  string(23) "example.com"
  ["HTTP_CONNECTION"]=>
  string(5) "close"
  ["PATH"]=>
  string(60) "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ["SERVER_SIGNATURE"]=>
  string(84) "
Apache/REDACTED Server at example.com Port 80

"
  ["SERVER_SOFTWARE"]=>
  string(22) "Apache/REDACTED"
  ["SERVER_NAME"]=>
  string(23) "example.com"
  ["SERVER_ADDR"]=>
  string(9) "REDACTED"
  ["SERVER_PORT"]=>
  string(2) "80"
  ["REMOTE_ADDR"]=>
  string(13) "REDACTED"
  ["DOCUMENT_ROOT"]=>
  string(13) "/var/www/html"
  ["REQUEST_SCHEME"]=>
  string(4) "http"
  ["CONTEXT_PREFIX"]=>
  string(0) ""
  ["CONTEXT_DOCUMENT_ROOT"]=>
  string(13) "/var/www/html"
  ["SERVER_ADMIN"]=>
  string(19) "webmaster@localhost"
  ["SCRIPT_FILENAME"]=>
  string(22) "/var/www/html/REDACTED"
  ["REMOTE_PORT"]=>
  string(5) "REDACTED"
  ["GATEWAY_INTERFACE"]=>
  string(7) "CGI/1.1"
  ["SERVER_PROTOCOL"]=>
  string(8) "HTTP/1.1"
  ["REQUEST_METHOD"]=>
  string(3) "GET"
  ["QUERY_STRING"]=>
  string(0) ""
  ["REQUEST_URI"]=>
  string(9) "/REDACTED"
  ["SCRIPT_NAME"]=>
  string(9) "/REDACTED"
  ["PHP_SELF"]=>
  string(9) "REDACTED"
  ["REQUEST_TIME_FLOAT"]=>
  float(1692393566.266936)
  ["REQUEST_TIME"]=>
  int(1692393566)
  ["argv"]=>
  array(0) {
  }
  ["argc"]=>
  int(0)
}
array(42) {
  ["HOSTNAME"]=>
  string(36) "example.com"
  ["PHP_VERSION"]=>
  string(6) "8.0.29"
  ["APACHE_CONFDIR"]=>
  string(12) "/etc/apache2"
  ["PHP_INI_DIR"]=>
  string(18) "/usr/local/etc/php"
  ["GPG_KEYS"]=>
  string(122) "REDACTED"
  ["PHP_LDFLAGS"]=>
  string(12) "-Wl,-O1 -pie"
  ["PWD"]=>
  string(13) "/var/www/html"
  ["APACHE_LOG_DIR"]=>
  string(16) "/var/log/apache2"
  ["LANG"]=>
  string(1) "C"
  ["PHP_SHA256"]=>
  string(64) "REDACTED"
  ["APACHE_PID_FILE"]=>
  string(28) "/var/run/apache2/apache2.pid"
  ["PHPIZE_DEPS"]=>
  string(76) "autoconf 		dpkg-dev 		file 		g++ 		gcc 		libc-dev 		make 		pkg-config 		re2c"
  ["TERM"]=>
  string(5) "xterm"
  ["PHP_URL"]=>
  string(51) "https://www.php.net/distributions/php-8.0.29.tar.xz"
  ["APACHE_RUN_GROUP"]=>
  string(8) "www-data"
  ["APACHE_LOCK_DIR"]=>
  string(17) "/var/lock/apache2"
  ["SHLVL"]=>
  string(1) "0"
  ["PHP_CFLAGS"]=>
  string(83) "-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
  ["APACHE_RUN_DIR"]=>
  string(16) "/var/run/apache2"
  ["APACHE_ENVVARS"]=>
  string(20) "/etc/apache2/envvars"
  ["APACHE_RUN_USER"]=>
  string(8) "www-data"
  ["PATH"]=>
  string(60) "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ["PHP_ASC_URL"]=>
  string(55) "https://www.php.net/distributions/php-8.0.29.tar.xz.asc"
  ["PHP_CPPFLAGS"]=>
  string(83) "-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
}

    Any ideas?

    Thanks!
    Perry

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Jonathan Champ

    (@jrchamp)

    Hi @daawesomep

    It looks like HTTP_EPPN is where the username is for your setup. By selecting “HTTP Headers”, the HTTP_ part of the key will be automatically included, so you only need to specify “EPPN” in your User Profile Data settings. Alternatively, the “Enable Fallback Attribute Access” setting may also work, but is less specific.

    Please let us know if that worked!

    Thread Starter Perry

    (@daawesomep)

    Hi @jrchamp

    Thanks for your response! I left the User Profile Data settings at their default values:

    • Username: eppn
    • First Name: givenName
    • Last Name: sn
    • Nickname: eppn
    • Display Name: displayName
    • Email: mail

    I tried with Username set to EPPN (all caps). I tried with Managed checked on everything except Username and without.

    Any other ideas? Any further ways to troubleshoot?

    Thanks,
    Perry

    Plugin Author Jonathan Champ

    (@jrchamp)

    As you are at least somewhat familiar with PHP, I would recommend adding debugging code directly into the shibboleth_getenv() function within the plugin. Something like var_dump($check_vars, $_SERVER); should give you some insight into what’s going on. You may need to add a die(); so that WordPress doesn’t redirect you. If you find that it is a bug in the plugin, please report it on our GitHub page or open a pull request and we’d be happy to incorporate a fix.

    Thread Starter Perry

    (@daawesomep)

    I figured it out! I had a block that looked like this:

    <Location ~ (/wp-admin|/wp-login.php)>
  Require ip 1.2.3.4/16
  Require ip 5.6.7.8/16
</Location>

    This meant that Require shibboleth from the <Location /> block was being overridden. The solution:

    <Location ~ (/wp-admin|/wp-login.php)>
  <RequireAll>
    Require shibboleth
    <RequireAny>
      Require ip 1.2.3.4/16
      Require ip 5.6.7.8/16
    </RequireAny>
  </RequireAll>
</Location>

    Thanks for your prompt support!

    Plugin Author Jonathan Champ

    (@jrchamp)

    Nice catch! For anyone in a similar situation, if the Require shibboleth is not present for that Location, the Shibboleth attribute will not be populated into the environment variables.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Infinite Redirect’ is closed to new replies.