by Visvanath Ratnaweera.
I am slowly getting convinced that Shibboleth is world-class security, from the difficulties I am having trying to migrate a Moodle site together with its Shibboleth authentication.
![sad]( "sad")
History:
- The old site ran perfectly with Shibboleth authentication provided by SWITCHaai https://www.switch.ch/en/services/aai/.
- The new site runs under the same URL, in a different server (different IP). Both sites are HTTPS, with two different SSL certificates from two different vendors - issued for the identical FQDN.
Migration:
- A Moodle site-backup from the old server was restored in the new one, following https://docs.moodle.org/27/en/Moodle_migration.
- /etc/shibboleth/sp-key.pem, sp-cert.pm and attribute-map.xml was copied over from the old to the new site (and server rebooted).
From my understanding of the documentation that should be enough. (I haven't manually edited the attribute-map.xml, for example.)
Their permissions:
-rw------- 1 _shibd _shibd 1679 Nov 26 16:39 sp-key.pem
-rw-r--r-- 1 _shibd _shibd 1172 Nov 26 16:39 sp-cert.pem
-rw------- 1 _shibd _shibd 14891 Dec 3 14:52 attribute-map.xml
Present behavior:
- From Login, choose an affiliated organization, enter the credentials.
- Get a confirmation screen like (annonymized)
The Institution that runs the Moodle
Name of the Moodle site
Requests data
Nachname [user's name]
Vorname [user's first name]
E-Mail [user's e-mail]
- > Accept gives the error:
Shibboleth authentication doesn't seem to be set up correctly because no Shibboleth environment variables are present for this page. Please consult the README for further instructions on how to set up Shibboleth authentication or contact the webmaster of this Moodle installation.
More information about this error
Debug info:
Error code: shib_not_set_up_error
Stack trace:
line 463 of /lib/setuplib.php: moodle_exception thrown
line 93 of /auth/shibboleth/index.php: call to print_error()
- Now I visit https://example.com/Shibboleth.sso/Session and get
Miscellaneous
Session Expiration (barring inactivity): 476 minute(s)
Client Address: [my.ip]
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://eduid.ch/idp/shibboleth
Authentication Time: 2015-12-06T20:04:53.308Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Attributes
givenName: 1 value(s)
mail: 1 value(s)
surname: 1 value(s)
Diagnosis by the experts at SWITCHaai:
- The SAML session with the Shibboleth SP is successful and the SP has redirected the login to the Moodle plug-in, which _should_ initiate a Moodle session but went wrong. Apparantly the Moodle plug-in does not find the necessary environment variables. Apparently an error from the Moodle side, possibly a configuration change I need to do. (I don't understand everything, just reporting.)
Can somebody tell me what I need to do in addition to what I've already done?
Moodle version is 2.7. Both servers Debian 7 updated to the latest packages from the official repos.
History:
- The old site ran perfectly with Shibboleth authentication provided by SWITCHaai https://www.switch.ch/en/services/aai/.
- The new site runs under the same URL, in a different server (different IP). Both sites are HTTPS, with two different SSL certificates from two different vendors - issued for the identical FQDN.
Migration:
- A Moodle site-backup from the old server was restored in the new one, following https://docs.moodle.org/27/en/Moodle_migration.
- /etc/shibboleth/sp-key.pem, sp-cert.pm and attribute-map.xml was copied over from the old to the new site (and server rebooted).
From my understanding of the documentation that should be enough. (I haven't manually edited the attribute-map.xml, for example.)
Their permissions:
-rw------- 1 _shibd _shibd 1679 Nov 26 16:39 sp-key.pem
-rw-r--r-- 1 _shibd _shibd 1172 Nov 26 16:39 sp-cert.pem
-rw------- 1 _shibd _shibd 14891 Dec 3 14:52 attribute-map.xml
Present behavior:
- From Login, choose an affiliated organization, enter the credentials.
- Get a confirmation screen like (annonymized)
The Institution that runs the Moodle
Name of the Moodle site
Requests data
Nachname [user's name]
Vorname [user's first name]
E-Mail [user's e-mail]
- > Accept gives the error:
Shibboleth authentication doesn't seem to be set up correctly because no Shibboleth environment variables are present for this page. Please consult the README for further instructions on how to set up Shibboleth authentication or contact the webmaster of this Moodle installation.
More information about this error
Debug info:
Error code: shib_not_set_up_error
Stack trace:
line 463 of /lib/setuplib.php: moodle_exception thrown
line 93 of /auth/shibboleth/index.php: call to print_error()
- Now I visit https://example.com/Shibboleth.sso/Session and get
Miscellaneous
Session Expiration (barring inactivity): 476 minute(s)
Client Address: [my.ip]
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://eduid.ch/idp/shibboleth
Authentication Time: 2015-12-06T20:04:53.308Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Attributes
givenName: 1 value(s)
mail: 1 value(s)
surname: 1 value(s)
Diagnosis by the experts at SWITCHaai:
- The SAML session with the Shibboleth SP is successful and the SP has redirected the login to the Moodle plug-in, which _should_ initiate a Moodle session but went wrong. Apparantly the Moodle plug-in does not find the necessary environment variables. Apparently an error from the Moodle side, possibly a configuration change I need to do. (I don't understand everything, just reporting.)
Can somebody tell me what I need to do in addition to what I've already done?
Moodle version is 2.7. Both servers Debian 7 updated to the latest packages from the official repos.