singlesignon/claim access denied error

@iori57 ... I'm debugging a similar issue ... so you have a CDN (ex. Akamia) or memcache going?

I'm having this problem, having recently changed line 133 of singlesignon_controller.module

$domain = singlesignon_get_domain($_GET['origin']);
to
$domain = ($_GET['origin']);

due to it telling me the function is undefined.

After the change, the "install" seemed to be OK, but now I'm up to this access denied.

My setup:

my.domain.com -- controller. the only module installed for this site is the controller module.
www.domain.com/cms -- client1
www.domain.net/cms -- client2

Have also tried changing from a subdirectory to root but no change. They run perfectly adequately as a multi-site setup, but now I need to integrate the 2 client sites.

I'm now at the stage (similar to #20 on http://drupal.org/node/606422) whereby I have no issues with the controller site, but on the client site I am redirected to a login screen with the URL of the form:

http://domain.com/singlesignon/claim?nonce=d24e2b...&origin=http%3A%2... 2F&request_id=268985...auth=37...

and I cannot login to the client site as any user including admin, and my tables contain user 0 and are shared, accessed by the same mysql username etc. My sessions table contains the nonce field and 2 others as installed by SSO.

I have also tried with and without the cookie domain in settings.php. My settings.php contains the $conf['session_inc'] line at the end of the file.

Thinking it may be an installation error, I have also completely removed all reference to SSO in both databases in phpmyadmin - variable, system, cache and menu tables, and reinstalled following the readme instructions exactly.

Am just a tiny bit stumped. Ideas?

did you solve your problem? i have similar problem that you raise out...

I have the same problem and it is so random, can't make anything out of it.

I have a simple multisite with domain and sso. Sso IS working, but i also get the claim/access denied error sometimes when users log in.

It's so odd, when i try to login / logout like 10 times it happens ones or twice, disabled / enabled everything else, still happening.

I have 2 databases, one for user registration, without domain access installed, this is the controller. People register/login to this site. The other database is for all other sites, the www.bla.tld and all subdomains of bla.tld. When people login i 'header' them to their profile on the 'content site' and that works great, but sometimes people get the error and end up with an access denied as described above. This error seems to be triggered at the client, so not at the controller.

I'll try to do some more research into this issue, kinda need this module so much :) Keep it up!

same problem here. error was not from start on. noticed somewhere down the road of installing 20+ modules for a complex system.
Seems like a needle in the haystack, allthough i might be able to comapre one large multisite with the other. One has the problem, other doesn't. But still this would take us down to about 25 differing modules. maybe this is an idea for someone else with some more applicable install.

while browsing, loged in, sometimes a redirect from client to controller happens and displays "access denied" with a very long url. The problem persists even when switching back or taking links from this page to one of client sites. they suddenly seem locked down. I have to close my browser, open again and retype address. (In Firefox, chrome, IE, Safari (newest vers. of all))

Little more info on url:

I looked at it and this looked a little dangerous to me
The URL ... this was posted once before ... but i think this wasn't quite right ... I will post this url, but just so you know, after i posted this, I will change my passwords and private key. hope this will help someone out ...

http://controller.eu/en/singlesignon/associate?origin=http%3A%2F%2Fclient.eu%2Fen%2Fsinglesignon%2Fclaim%3Fnonce%3D9d214ff36fb0e46a%26origin%3Dhttp%253A%252F%252Fclient.eu%252Fen%252Fsinglesignon%252Fclaim%253Fnonce%253Dfc87b4af8fa37f35%2526origin%253Dhttp%25253A%25252F%25252Fclient.eu%25252Fen%25252Fsinglesignon%25252Fclaim%25253Fnonce%25253D1874d194dcc202ca%252526origin%25253Dhttp%2525253A%2525252F%2525252Fclient.eu%2525252Fen%2525252Fsinglesignon%2525252Fclaim%2525253Fnonce%2525253D48c351971a1ef41e%25252526origin%2525253Dhttp%252525253A%252525252F%252525252Fclient.eu%252525252Fen%252525252Fsinglesignon%252525252Fclaim%252525253Fnonce%252525253Dc53e75782f82eb61%2525252526origin%252525253Dhttp%25252525253A%25252525252F%25252525252Fclient.eu%25252525252Fen%25252525252Fservice%25252525252Fmultilingual%2525252526request_id%252525253D609c425691947480%2525252526auth%252525253D57a21795f0b1eae316353c86%25252526request_id%2525253D10606ad181b21f03%25252526auth%2525253Dcb694860bbba532f143562c1%252526request_id%25253D459a9979f3e9bb25%252526auth%25253Da1bcf79c3b717a43501e8ef9%2526request_id%253Dd248956d6a3ef661%2526auth%253Deed18eac0699bcde98a41623%26request_id%3D591cb8c5b5f55250%26auth%3D090452e413fc29a41a14bf51&request_id=fc9c421556528068&auth=1bf93e8bbd7c34e90bb2a8ef

Now, this is encoded, of course, the way it is usually displayed. So i decoded it and got to the following:

http://controller.eu/en/singlesignon/associate?
origin=http://client.eu/en/singlesignon/claim?nonce=9d214ff36fb0e46a
&origin=http://client.eu/en/singlesignon/claim?nonce=fc87b4af8fa37f35
&origin=http://client.eu/en/singlesignon/claim?nonce=1874d194dcc202ca
&origin=http://client.eu/en/singlesignon/claim?nonce=48c351971a1ef41e
&origin=http://client.eu/en/singlesignon/claim?nonce=c53e75782f82eb61
&origin=http://client.eu/en/service/multilingual
&request_id=609c425691947480&auth=57a21795f0b1eae316353c86
&request_id=10606ad181b21f03&auth=cb694860bbba532f143562c1
&request_id=459a9979f3e9bb25&auth=a1bcf79c3b717a43501e8ef9
&request_id=d248956d6a3ef661&auth=eed18eac0699bcde98a41623
&request_id=591cb8c5b5f55250&auth=090452e413fc29a41a14bf51
&request_id=fc9c421556528068&auth=1bf93e8bbd7c34e90bb2a8ef

hope this gets some kind of answer. i suspected i18n and login toboggan. I deactivated the latter and deinstalled. no difference. couldn't really "try out" without i18n because whole site resolves in multilinguality and error is just sometimes.

By the way: ... am just curious... anyone visiting this site would eventually see this information i have posted here. But this info seems somewhat hiding some important data. could this be true?

Anyway I canged ftp, uid, db passwords and sso private key now, you know.
Would be interested if this really was worth the effort changing ^_^

Alec

Perhaps any solution here please?

also finding that when users come from long url's or Google receiving singlesignon/claim 'access denied'.

Wonder if it has something to do with admin/settings/singlesignon-client "To avoid creating unnecessary single sign-on sessions, this module attempts to identify and ignore non-human clients. The following settings control the recognition rules. Only a single rule needs to match for a request to be ignored."

But then again if users come from our email newsletter, receiving the same problem.

This is an example location in dblog: mysite.com/singlesignon/claim?nonce=8a56d4429b73ec63&origin=http%3A%2F%2Fwww.mysite.com%2Ffilm-jobs%2FSouth%2520Africa&request_id=12864973d8cb900...

Looking most forward to any reply and thank you :)

Sorry, after several weeks trying to make this work I'm going to have to give up on this module.

1. invalid login sends user to 'master.domain' : http://drupal.org/node/611580 (apparently not fixable)
2. lost password sends user to master.domain and lost password email verification so user is lost when clicking through
3. sometimes content_profile.module loses data when user registers on slave site
4. access denied errors at singlesignon/claim for anonymous users
5. project seems abandoned from maintainer

Having researched the alternatives:

http://drupal.org/project/bakery seems to have been a close solution, but http://drupal.org/node/1222060 (does not work with top-level domains)
http://drupal.org/project/account_sync is for integration with core profile.module
http://drupal.org/project/singlesignon has been abandoned

Would most appreciate any suggestions or possible solutions to make a single login system top domain levels with domain.module

Bounty for a working module :)

@Liliplanet Have you tried http://bleen.net/blog/domain-access-sso?

Thank you ovg for your reply!

Have actually now moved on the Drupal 7 and checking and hoping for a solution soon :)