Shibboleth SP3 and IIS10

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP3 and IIS10

CostantinoGrana
Hello to everybody.

After many year of using Shibboleth 2 on Windows Server 2000 and IIS6,
we finally decided to upgrade. Fresh install of Windows Server 2019, Add
Roles and Features, Server Roles: Web Server (IIS), in Role Services,
Application Development: ASP. Installed latest Shibboleth SP3 with auto
configuration of IIS. Edited both shibboleth2.xml and attributes-map.xml
in order to match our IdP configuration and then tried it.
Authentication works correctly on the selected folders with HTTPS
required, as expected.

BUT: server variables are not set! I've tried with both classic ASP and
ASP.NET, also with the legacy enable headers, but nothing appears. Using
Shibboleth.sso/Session, attributes are received and mapped correctly,
but nothing is available to the applications, not even inbuilt
attributes such as Shib-Application-ID. REMOTE_USER is correctly set to
the eppn value.

I've tried everything I could think of, but nothing worked.

Thank you in advance for any suggestion.

Best,
Costantino Grana


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP3 and IIS10

Rod Widdowson
> BUT: server variables are not set!

Do you mean server variables (which were never set in Shibboleth2) or header variables (which were).  In V3 the IIS plugin sets the
former and needs to be explicitly told to use the (less secure) latter.

Rod


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

CostantinoGrana
I really mean server variables. These should be accessible with
Request.ServerVariables with Classic ASP and ASP.NET (I tried with both).

Il 28/08/2019 11:25, Rod Widdowson ha scritto:
>> BUT: server variables are not set!
> Do you mean server variables (which were never set in Shibboleth2) or header variables (which were).  In V3 the IIS plugin sets the
> former and needs to be explicitly told to use the (less secure) latter.
>
> Rod
>
>
--
/* Learn how to code, and code well, because whatever
you do is going to involve an implementation. Michael
Stonebraker (2014 ACM A.M. Turing Award Recipient) */
main(int c,char**o){char*s=c?"+L7?+;:7?+:OKIK+9?;9=;"
":+9?;:<:;+9?;;;:;+9<:;<::;+RLJ;K9+":1[o],t,a=!c,m;do
for (m=*s-'0',t=a?m/c:m%c;m>>7?c=1<<m+8,!a&&puts(&a)*
*&a:t--;printf("  \0/*"+a));while ((a^=3)||a[++s]);;}
/* Original code due to Chris Brown... impressive! */

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

CostantinoGrana
CostantinoGrana wrote
> I really mean server variables. These should be accessible with
> Request.ServerVariables with Classic ASP and ASP.NET (I tried with both).

FYI, I've removed SP3, installed SP2 and all *headers* are listed by looping
on Request.ServerVariables. I can tell that those are headers because they
are in the form "HTTP_xxxxxxx".

Then I removed the SP2, reinstalled SP3, and nothing appears, even when
providing directly the string to Request.ServerVariables, i.e.
Request.ServerVariables("EPPN"), or Request.ServerVariables("HTTP_EPPN").

Finally with SP3 installed I enabled the ISAPI filter and the headers
appeared again (i.e. "HTTP_CN"), but still no server variables (i.e. "CN")

So, unless I've missed something it appears to be some kind of bug.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

Cantor, Scott E.
On 8/28/19, 9:36 AM, "users on behalf of CostantinoGrana" <[hidden email] on behalf of [hidden email]> wrote:

> So, unless I've missed something it appears to be some kind of bug.

There isn't.

The ISAPI filter is never going to provide the variables because it can't, only headers. Only the new module supports true server variables (and it does not export headers by default). So you're mixing testing scenarios.

Looping also does not work, at least not for server variables, Microsoft isn't tracking the information at the right time and doesn't see the ones set later, only direct access to them works in my experience.

I'm not on a Windows machine at the moment so I don't have the scripts I've tested with handy but it works. If you want compatibility (and less security) with pre-existing code using headers then you simply have to turn that option on.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

Peter Schober
In reply to this post by CostantinoGrana
* CostantinoGrana <[hidden email]> [2019-08-28 15:36]:
> but still no server variables (i.e. "CN")

What does the relevant entry in your attribute-map.xml look like?
(Maybe "CN" vs. "cn" is all that's off?)

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

CostantinoGrana
In reply to this post by Cantor, Scott E.
Cantor, Scott E. wrote
>> So, unless I've missed something it appears to be some kind of bug.
> There isn't.
>
> The ISAPI filter is never going to provide the variables because it can't,
> only headers. Only the new module supports true server variables (and it
> does not export headers by default). So you're mixing testing scenarios.

As I've stated, "nothing appears, even when providing directly the string to
Request.ServerVariables, i.e.
Request.ServerVariables("EPPN")".


Cantor, Scott E. wrote
> Looping also does not work, at least not for server variables, Microsoft
> isn't tracking the information at the right time and doesn't see the ones
> set later, only direct access to them works in my experience.
>
> I'm not on a Windows machine at the moment so I don't have the scripts
> I've tested with handy but it works. If you want compatibility (and less
> security) with pre-existing code using headers then you simply have to
> turn that option on.

The problem is that the ServerVariables are not being set. When enabling the
ISAPI filter then the headers get set correctly, but of course those are not
server variables.

I've tried both upper and lower case (lower case is used in
attribute-map.xml).

        Response.Write "CN = " & Request.ServerVariables("CN") & "<br>" & vbCrLF
        Response.Write "EPPN = " & Request.ServerVariables("EPPN") & "<br>" &
vbCrLF
        Response.Write "cn = " & Request.ServerVariables("cn") & "<br>" & vbCrLF
        Response.Write "eppn = " & Request.ServerVariables("eppn") & "<br>" &
vbCrLF

None of these work.




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

CostantinoGrana
In reply to this post by Peter Schober
Peter Schober wrote
> What does the relevant entry in your attribute-map.xml look like?
> (Maybe "CN" vs. "cn" is all that's off?)

I've tried both upper and lower case (lower case is used in
attribute-map.xml).

        Response.Write "CN = " & Request.ServerVariables("CN") & "<br>" & vbCrLF
        Response.Write "EPPN = " & Request.ServerVariables("EPPN") & "<br>" &
vbCrLF
        Response.Write "cn = " & Request.ServerVariables("cn") & "<br>" & vbCrLF
        Response.Write "eppn = " & Request.ServerVariables("eppn") & "<br>" &
vbCrLF

None of these work. "HTTP_" version works when enabling the ISAPI filter
(header version).

Note that also setting ISAPI attribute "useHeaders="true"" doesn't work
without the ISAPI filter.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

DennisF
Greetings,

I was wondering if you figure out a way to get this working with Shibboleth
SP3 and IIS10? We are having the same exact problem.

Thanks!



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

Cantor, Scott E.
On 1/23/20, 2:24 PM, "users on behalf of DennisF" <[hidden email] on behalf of [hidden email]> wrote:

> I was wondering if you figure out a way to get this working with Shibboleth
> SP3 and IIS10? We are having the same exact problem.

"This" does not describe anything in particular. If you're having a problem, explain what the problem is and if I have a working sample for either ASP or ASP.NET I can find it.

At a surface level there are really about 3 axes, old filter vs. new module, headers vs. server variables, and ASP vs. ASP.NET. There's no context for which of the 2x2x2 cases you're talking about.

I believe the only case I have no evidence is not actually a bug (i.e. it may in fact not work) is trying to use the new module with classic ASP and the useHeaders option. I have not personally gotten that to work.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

DennisF
Sorry about that! :)

We are building a new server using Microsoft Windows Server 2019 which is
running IIS10. We installed the current version of Shibboleth 3 onto the
server, but the attributes are not in the headers anymore and after doing
research it says they are stored in the ServerVariables.

This application is using ASP.NET Framework 4.7.2. The application using
Shibboleth is configured for Managed Pipeline Mode = Integrated.

We modified our code so it checks the headers then the ServerVariables if
they weren't found. Neither contain the keys from Shibboleth. The Shibboleth
logs indicate it parsed the attributes and mapped them correctly.

Thank you for the help.




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP3 and IIS10

Cantor, Scott E.
On 1/23/20, 3:40 PM, "users on behalf of DennisF" <[hidden email] on behalf of [hidden email]> wrote:

> We are building a new server using Microsoft Windows Server 2019 which is
> running IIS10. We installed the current version of Shibboleth 3 onto the
> server, but the attributes are not in the headers anymore and after doing
> research it says they are stored in the ServerVariables.

They're where you tell it to put them, either or both.
 
> This application is using ASP.NET Framework 4.7.2. The application using
> Shibboleth is configured for Managed Pipeline Mode = Integrated.

I don't have any idea what that means apart from "ASP.NET", but suffice to say that I have an ASP.NET script that dumps out data for both those cases. When that laptop is where I am I can re-validate it and post the script. I don't imagine it's different from examples in the wiki.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP3 and IIS10

Cantor, Scott E.
In reply to this post by DennisF
> This application is using ASP.NET Framework 4.7.2. The application using
> Shibboleth is configured for Managed Pipeline Mode = Integrated.

My Windows 10 IIS AppPool says the same thing, notwithstanding that I don't know what it means.

Both headers and variables worked fine.

<% @ Page Language="C#" %>
<%
Response.Write("Shib-AuthnContext-Class = " + Request.ServerVariables["Shib-AuthnContext-Class"] + "<br>");
Response.Write("Shib-AuthnContext-Class = " + Request.Headers["ShibAuthnContextClass"] + "<br>");
%>

The latter assumes both useHeaders and safeHeaderNames are true, causing the hyphens to collapse out but otherwise it works as it did before. That's just a sample variable but if one's set they all are.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]