11 Replies Latest reply on Jan 20, 2016 8:53 AM by 2Charlie

    Shibboleth authentication with LDAP

    2Charlie Level 1

      I'm running into "Internal Server Error" when trying to authenticate using shibboleth with LDAP. Here's the ColdFusion error.

       

      Element MYSITESHIBBOLETH.USERNAME is undefined in SESSION. The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 32

       

      And here's the authenicate.cfm file line 32.

       

      mysiteShibboleth.png

        • 1. Re: Shibboleth authentication with LDAP
          EddieLotter Level 3

          Add <cfdump var="#session.mysiteShibboleth#> on line 30 and see what result you get.

           

          My guess is that the struct does not contain "username".

           

          Cheers

          Eddie

          • 2. Re: Shibboleth authentication with LDAP
            2Charlie Level 1

            There is no dump on the browser but this is the error I got in the ColdFusion error log.

             

            "Error","ajp-bio-8013-exec-1","01/19/16","12:47:32",,"Invalid CFML construct found on line 30 at column 44.ColdFusion was looking at the following text:<p>\""</p><p>The CFML compiler was processing:<ul><li>An expression that began on line 30, column 22.<br>The expression might be missing an ending #, for example, #expr instead of #expr#.<li>The tag attribute var, on line 30, column 17.<li>A cfdump tag beginning on line 30, column 10.<li>A cfdump tag beginning on line 30, column 10.</ul> The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 30 "

            • 3. Re: Shibboleth authentication with LDAP
              EddieLotter Level 3

              I failed to close the var attribute's quote in my post and the Web interface is not allowing me to edit the post. Check your syntax, it should be as follows:

              <cfdump var="#session.mysiteShibboleth#">
              
              

              Cheers

              Eddie

              • 4. Re: Shibboleth authentication with LDAP
                2Charlie Level 1

                I would still have the same error.

                • 5. Re: Shibboleth authentication with LDAP
                  WolfShade Level 4

                  I believe that the issue is because you are using CFIF instead of CFSWITCH.  In a CFIF conditional, the server processes ALL conditions, then inserts into the process whichever condition is correct.  Even though the conditional is IF this exists, run this, if this doesn't exist, the code is still run, just not used.

                   

                  Change your conditional to a CFSWITCH/CFCASE - the server will run only the correct code.

                   

                  HTH,

                   

                  ^_^

                   

                  BTW.. you don't need hashmarks if the variable isn't inside quotation marks as a string, and it's not being used for display.  So..

                   

                  <cfset session.mysiteshibboleth.username = "mysite" & #session.mysiteshibboleth.username#>
                  

                   

                  .. you can remove the hashmarks from this as the variable isn't being output and it's not part of a string.  Now, the following would require hashmarks.

                   

                  <cfset session.mysiteshibboleth.username = "mysite#session.mysiteshibboleth.username#">
                  

                   

                  Because the variable is contained within a string.

                   

                  Using hashmarks in the first example can slow down processing.

                   

                  HTH

                  • 6. Re: Shibboleth authentication with LDAP
                    EddieLotter Level 3

                    2Charlie wrote:

                     

                    I would still have the same error.

                    Please post your code as it is now.

                     

                    Cheers

                    Eddie

                    • 7. Re: Shibboleth authentication with LDAP
                      2Charlie Level 1

                      Here is the whole thing in the authenticate.cfm file.

                       

                      <cfparam name="Session.mysiteShibboleth" default="">

                      <cfparam name="http_header" default="#GetHttpRequestData()#">

                       

                      <!--- determine what the referer should be from shibboleth depending on what server we're on--->

                      <cfif request.env eq "production">

                        <cfset shibboleth_url = "https://login.mysite.com/idp/profile/SAML2/Redirect/SSO">

                      <cfelse>

                        <cfset shibboleth_url = "https://logintest.mysite.com/idp/profile/SAML2/Redirect/SSO">

                      </cfif>

                       

                      <!--- if shibboleth sent us here, remember the data it gave us--->

                      <cfif cgi.http_referer eq shibboleth_url>

                        <cfscript>

                        session.mysiteShibboleth = StructNew();

                        session.mysiteShibboleth.username=REReplace(http_header.headers.eppn, "@mysite.com","","ALL");

                        session.mysiteShibboleth.mail=http_header.headers.eppn;

                        session.mysiteShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));

                        session.mysiteShibboleth.isAuthenticated="true";

                        </cfscript>

                      </cfif>

                       

                      <!---<cflog text = "CGI-log: #cgi.http_referer#" type = "information" file = "CGI-Log">--->

                       

                       

                      <!--- if we have shibboleth info, log in to commonspot with that--->

                      <cfif StructKeyExists(Session, "mysiteShibboleth") >

                       

                      <!---<cflog text = "Session Name: #session.mysiteShibboleth#" type = "information" file = "Session">--->

                        <!--- //Checking if username is numeric --->

                        <cfif IsNumeric(Mid(session.mysiteShibboleth.username, 1, 1))>

                        <cfset session.mysiteShibboleth.username = "mysite" & #session.mysiteShibboleth.username#>

                        </cfif>

                       

                        <cflog text = "User Name: #session.mysiteShibboleth.username#" type = "information" file = "userName">

                        <!--- // authorize the user --->

                        <cfmodule template="/commonspot/security/populate-user-struct.cfm"

                        defaultUserID = "#session.mysiteShibboleth.username#"

                        defaultGroupNames = "#session.mysiteShibboleth.groups#"

                        defaultGroupIDs = ""

                        additionalGroupNames = "#session.mysiteShibboleth.groups#">

                       

                        <!--- if this user is not marked as a "licensed contributor", mark them as such.--->

                        <cfif session.user.LICENSEDCONTRIBUTOR eq 0>

                        <cftry>

                        <CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="5" THROWONTIMEOUT="Yes">

                        <cfquery DATASOURCE="#session.user.USERSDATASOURCE#" NAME="updateContributor">

                          UPDATE Users

                          SET LicensedContributor = '1'

                          WHERE ID = #session.user.id#

                        </cfquery>

                        <cfset session.user.LicensedContributor = "1">

                        </CFLOCK>

                        <cfcatch>

                        <cfoutput>Error in /authenticate.cfm: An error occurred while trying to log in. Please try again.</cfoutput>

                        </cfcatch>

                        </cftry>

                        </cfif>

                       

                        <!---we are now logged in, so redirect somewhere--->

                        <cfif session.preAuthUrl eq "">

                        <!---not sure where we came from, so redirect to the homepage--->

                        <cflocation url="/" addtoken="no">

                        <cfelse>

                        <cfif session.preAuthUrl contains "login=1">

                        <cfif tmp eq "">

                        <cflocation url="/" addtoken="no">

                        <cfelse>

                        <cflocation url="#tmp#" addtoken="no">

                        </cfif>

                        <cfelse>

                        <cfset tmp=ReReplace(session.preAuthUrl, "^.+\.mysite\.com", "")>

                        <cflocation url="#request.author_url##tmp#" addtoken="no">

                        </cfif>

                        </cfif>

                      </cfif>

                       

                      <!---go back to wherever we came from--->

                      <cflocation url="#cgi.http_referer#" addtoken="no">

                      • 8. Re: Shibboleth authentication with LDAP
                        2Charlie Level 1

                        Right now it seemed that cgi.http_referer do not equal shibboleth_url that is why the session was not set. In the cgi.http_referer it seemed there are a bunch of characters code are added to it as shown in a couple of my posts above. I have to figure out a way to extract those extra codes out.

                        • 10. Re: Shibboleth authentication with LDAP
                          2Charlie Level 1

                          Okay, I got it to work. I need to use reReplace() to extract out the part that I need so that the cfif work and the session get set.

                           

                          <cfset cgiReferer = reReplace(#cgi.httP_REFERER#, "[\?;].+", "\1") />

                           

                           

                          <!--- if shibboleth sent us here, remember the data it gave us--->

                          <!---<cfif cgi.http_referer eq shibboleth_url>--->

                          <cfif cgiReferer eq shibboleth_url>

                            <cfscript>

                            session.testShibboleth = StructNew();

                            session.testShibboleth.username=REReplace(http_header.headers.eppn, "@test.com","","ALL");

                            session.testShibboleth.mail=http_header.headers.eppn;

                            session.testShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));

                            session.testShibboleth.isAuthenticated="true";

                            </cfscript>

                          </cfif>