Authorization Bug or Feature? Authorizations do not persist.
| Project: | Shibboleth authentication |
| Version: | 6.x-3.0-1 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Jump to:
We have been using shib_auth for a couple months at MIT but none of our projects are live yet. I added rules to the shibboleth configuration and they do not appear to stick to the user's login. For instance, I mapped HTTP_SHIB_EP_AFFILIATION "staff@mit.edu" to the Drupal group "mit user." Upon login, I see the options available to that user appear and menus. However, as soon as I click through to any additional pages, those permissions disappear. Is this by design?
I see this in your documentation, "All these rules are evaluated at module initiation time. That would cause that revoking/adding a Shibboleth attribute would end in removing/adding the Drupal role immediately (next page refresh)."
I translate this to mean that the phenomenon I am seeing is known to you, but I wanted to make sure. Is there some other mechanism or module by which I can automatically add roles other than "authenticated user" to an account upon login or account creation?
It would be very useful if these settings persisted in some manner.
#1
I note that this might appear similar to a bug I contributed comments to in the past, http://drupal.org/node/305989, but that was reported fixed with a combination of upgrading past Drupal 6.4 and a userprotect patch. My systems are all patched to exceed this requirement.
#2
This happens most probably because your Shibboleth headers get lost after navigating away from the frontpage. I'd suspect it's a http/https thing or a hidden rewrite/redirect somewhere, which makes Shibboleth not to export headers to that location.
Please try to turn on DEBUG and check that all the necessary variables are known to to the module.
I'll correct the wording of the paragraph you are referring to. It should talk about rules not attributes (although the latter is not incorrect, the set of attributes is constant through a Shibboleth session for most of the cases).
#3
I did turn on DEBUG and SHIB headers like HTTP_SHIB_INETORGPERSON_DISPLAYNAME and HTTP_SHIB_EP_AFFILIATION remain populated on subsequent clicks through the web site. Nevertheless, my Roles disappear. We are doing some http-to-https redirects on the site to protect user and admin pages, so we will look into it, but it is not obliterating the headers.
#4
I'm sorry, we are unable to reproduce the error. Could you elaborate, what kind of redirections do you have?
If you could copy-paste the output of DEBUG (before and after navigating away), that might help as well.
You should keep in mind that Shibboleth headers might not be available via http. See handlerSSL directive in Shibboleth config.
#5
i have same problem as ecaf3y3. it's working fine for first time login and first page. at the same time, shib_auth will create local username and password with default user role, which is authenticated user. afterward, this login user is operating as default authenticated user role. Shibboleth group rules is not working for this user anymore.
#6
Sorry, I can only repeat myself as in #4.
Please copy-paste exact link and debug information along with the group rules to investigate this problem. I can not reproduce this.
Keep in mind that the roles are not visible on the role administration page.