Skip to content

Instantly share code, notes, and snippets.

@davidjb

davidjb/shibboleth-debug.md

Created October 27, 2017 01:41
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save davidjb/109e74a727f192ca2dca0b3c5feb333d to your computer and use it in GitHub Desktop.
Save davidjb/109e74a727f192ca2dca0b3c5feb333d to your computer and use it in GitHub Desktop.
Download ZIP
Shibboleth debugging steps
Raw
shibboleth-debug.md

Shibboleth Debugging

Throught this whole process, if you're unsure whether a Shibboleth login session worked (such as if it looks like your application isn't getting attributes etc), you can test by accessing /Shibboleth.sso/Session after going a /Shibboleth.sso/Login cycle and it'll list various details, or state:

A valid session was not found

if it didn't work or you haven't logged in yet.

General

  • Check Shibboleth's shibd is restarted following any changes to Shibboleth configuration. If Shibboleth's FastCGI application are being used, ensure they are restarted too (eg shibauthorizer and shibrepsonder).

Login and message decoding failing

  • Check the Federation being used: Shibboleth will be configured for a specific Federation via /etc/shibboleth/shibboleth2.xml. Ensure this is correct. You will know if the Federation is wrong if the WAYF page you're accessing appears incorrectly or unusual or unexpected IdPs are listed.

  • Test the correct Shibboleth entityID is being used: try loading /Shibboleth.sso/Login on your host's URL. The discovery service should indicate the correct application as configured in your Federation Registry. If it doesn't or this doesn't load, then the Shibboleth entityID is wrong. Check shibboleth2.xml or confirm you have restarted your shib stack.

  • Test that the correct Federation metadata is being used: load the XML for your federation (eg https://md.test.aaf.edu.au/aaf-test-metadata.xml) and ensure that your certificate is present in that file in the right EntityDescriptor element.

  • Check the cert/key pair: make sure the

  • /etc/shibboleth/sp-cert.{key,pem} match cryptographically. Use the details at https://support.comodo.com/index.php?/Knowledgebase/Article/View/684/17/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl to check.

  • Check the Shibboleth logs: try restarting shibd whilst watching /var/log/shibboleth/shibd.log. Errors will be logged there if keys/certs can't be loaded.

  • Increase the Shibboleth logging level and do a login cycle: Edit /etc/shibboleth/shibd.logger and replace all instances of INFO with DEBUG and restart shibd. Any startup errors would have shown up in shibd.log with INFO level logging so you typically only need to be concerned with output after you begin the login cycle. So, head to /Shibboleth.sso/Login in your browser whilst watching /var/log/shibboleth/shibd.log. The reason for a failure will be explained in detail and common issues are listed at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTroubleshootingCommonErrors (which we're already going through, but you can check that if something else occurs).

Attributes

  • Check the attribute map: the file at /etc/shibboleth/attribute-map.xml controls which attributes get processed by Shibboleth components. If something isn't listed in here then it will be filtered implicitly. Likewise if an attribute is specified with an incorrect identifier or name, then it will either be filtered or won't be where you expect the value to be.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment