Title: [Plugin Shibboleth] loop wrong key checked Last modified: August 19, 2016 --- # [Plugin Shibboleth] loop wrong key checked * [tsikorski](https://wordpress.org/support/users/tsikorski/) * (@tsikorski) * [15 years, 7 months ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/) * When trying to establish if a session is active in shibboleth.php the function shibboleth_session_active is checking for session headers which in my environment don’t exist. * Here is the function in question: * ``` /** * Check if a Shibboleth session is active. * * @return boolean if session is active * @uses apply_filters calls 'shibboleth_session_active' before returning final result */ function shibboleth_session_active() { $active = false; $session_headers = array('Shib-Session-ID', 'HTTP_SHIB_IDENTITY_PROVIDER'); foreach ($session_headers as $header) { if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) { $active = true; break; } } $active = apply_filters('shibboleth_session_active', $active); return $active; } ``` * I managed to get the plugin to work by changing the code to * ``` /** * Check if a Shibboleth session is active. * * @return boolean if session is active * @uses apply_filters calls 'shibboleth_session_active' before returning final result */ function shibboleth_session_active() { $active = false; $session_headers = array('Shib_Session_ID', 'HTTP_SHIB_IDENTITY_PROVIDER'); foreach ($session_headers as $header) { if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) { $active = true; break; } } $active = apply_filters('shibboleth_session_active', $active); return $active; } ``` * Without this change any attempt at using Shib would cauase a loop with the idp. Has anyone else seen this? Viewing 12 replies - 1 through 12 (of 12 total) * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years, 6 months ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751661) * Just wanted to comment that the Shibboleth plugin out-of-the-box worked fine for me. I verified that we do retrieve ‘Shib-Session-ID’ from Shibboleth. One of the first things I install on a Shibbolized server is a test page that prints out all the headers. * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751724) * hello, i am experiencing the same loop problem. i tried your workaround, but nothing changes. can you help me, please? thank you. ciao, fabrizio * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751727) * fabri76 – The endless looping could be caused by a number of reasons. You should create a page that prints out all the Shibboleth headers to verify that you are getting ‘Shib-Session-ID’ or ‘HTTP_SHIB_IDENTITY_PROVIDER’. * For example I created a Shibboleth protected php page (e.g. /secure/debug.php that prints out all the http headers: * ``` '.print_r($_SERVER, true).''; ?> ``` * First verify that you are getting those headers. If you are getting the headers, I would check on your Shibboleth/Apache configuration (i.e. htaccess file) or your Shibboleth configuration in WP. * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751728) * hello jkhongusc, thank you for your reply. i have a test php page which shows all of the http headers and the result is: *** HTTP_SHIB_IDENTITY_PROVIDER [https://federatest.lepida.it/gw/metadata](https://federatest.lepida.it/gw/metadata) Shib-Application-ID default Shib-Authentication-Instant 2011-05-18T05:58:46.883Z Shib-Authentication-Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-AuthnContext-Class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-Identity-Provider [https://federatest.lepida.it/gw/metadata](https://federatest.lepida.it/gw/metadata) Shib-Session-ID _26d49f597a3d3040506564bd7a80a46d *** so i am already getting the shib-session-id and http_shib_identity_provider, so what shall i check into to solve my loop problem? thank you very much. ciao, fabrizio * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751729) * fabri76 – Great, that verifies that Shibboleth is configured properly and passing the session variables. 1) Can you tell me what version of WP you are using and if you have any special configurations (e.g. multi-site)? 2) Are you certain you entered the correct Shibboleth configurations in /wp-admin? The really important ones are ‘Session Initiator URL’ and ‘Username’. Make sure you map the correct http header to Username and that you can see Username header in your test php page. 3) Can you tell me the exact urls (you can leave out hostnames) to log into Shibboleth and when the endless looping occurs? 4) Can you check if your /.htaccess file has the shibboleth settings: * ``` # BEGIN Shibboleth AuthType Shibboleth Require Shibboleth # END Shibboleth ``` * If you are certain you are doing everything right, the next step is to insert logging into the Shibboleth plugin. * James * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751730) * hello james, here there the answers to your questions: 1. my wp version is 3.0.2 and i do not have special configs (no multi-site) 2. yes the ‘session initiation url’ (which points to “[http:///Shibboleth.sso/Login”](http:///Shibboleth.sso/Login”);) is set properly, in fact, when i choose to logon with shibboleth i am redirected to the shibboleth login url set as mentioned above; also the username is set and points to “CodiceFiscale”, in fact (from my test page) i see: *** CodiceFiscale LSGFRZ76R04H223G *** if you believe that it can be of help, i can give you a username and the url for the test page and the shib login page, so you can test what happens yourself. let me know. in this case i would prefer to give you link, username and password via email. 3. when the loop occurs, the 2 urls shown are: [http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Fwp-login.php%3Faction%3Dshibboleth](http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Fwp-login.php%3Faction%3Dshibboleth) and [https:///gw/AssertionConsumerProxy/SAML1?ssoProxying=reggioemilia](https:///gw/AssertionConsumerProxy/SAML1?ssoProxying=reggioemilia) 4. the .htaccess file contains: *** * # BEGIN WordPress * # END WordPress * # BEGIN Shibboleth AuthType Shibboleth Require Shibboleth # END Shibboleth *** let me know, please. thank you. ciao, fabrizio * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751731) * fabrizio – IMO, it seems that you have configured everything correctly. But WP is not seeing the Shibboleth session headers. The next step is to add logging into the shibboleth plugin. Hopefully you are confident enough to be able to do this… on a test system (not production): * 1) backup main shib plugin file * ``` cd /wp-content/plugins/shibboleth cp shibboleth.php shibboleth.php.bak ``` * 2) add logging to various functions. I think the problem is in shibboleth_session_active() so I will give you an example of how to add logging to that function, but go ahead and put the logging in other functions: * ``` function shibboleth_session_active() { error_log("shibboleth_session_active",0); $active = false; $session_headers = array('Shib-Session-ID', 'HTTP_SHIB_IDENTITY_PROVIDER','Shib-Identity-Provider'); foreach ($session_headers as $header) { if ( array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]) ) { $active = true; break; } } if ($active == false) { error_log("Shib-Session-ID = ".$_SERVER['Shib-Session-ID'],0); error_log("HTTP_SHIB_IDENTITY_PROVIDER = ".$_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'],0); error_log("Shib-Identity-Provider= ".$_SERVER['Shib-Identity-Provider'],0); } $active = apply_filters('shibboleth_session_active', $active); return $active; } ``` * 3) tail -f the apache error log file 4) log into WP/Shibboleth and watch the error messages * Let me know if shibboleth_session_active() can see the Shibboleth headers – that is the key to the looping. * James * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751732) * james, first of all thank you for your very important support! * i put the logging to the shibboleth_session_active function and the result of the tail on the error_log file is: * *** [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] shibboleth_session_active[ Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] Shib-Session-ID = [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER = [Wed May 18 16:18:24 2011] [error] [client 172.16.2.33] Shib-Identity-Provider = [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] shibboleth_session_active[ Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] Shib-Session-ID = [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER = [Wed May 18 16:18:26 2011] [error] [client 172.16.2.33] Shib-Identity-Provider = [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] shibboleth_session_active[ Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] Shib-Session-ID = [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER = [Wed May 18 16:18:27 2011] [error] [client 172.16.2.33] Shib-Identity-Provider = [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] shibboleth_session_active[ Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] Shib-Session-ID = [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] HTTP_SHIB_IDENTITY_PROVIDER = [Wed May 18 16:18:29 2011] [error] [client 172.16.2.33] Shib-Identity-Provider = [Wed May 18 16:18:31 2011] [error] [client 172.16.2.33] shibboleth_session_active*** * that means that, as you mentioned, the function does not show the headers needed! which are the other functions that needs logging? i am trying to do that, but i have to confess that i am not very confident in that… i do hope i will be able. thank you. ciao, fabrizio * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751733) * fabrizio – For now you do not have to add error logging anywhere else. The question is why does your test page see the shibboleth headers and not WP. There must be a difference in the Shibboleth or Apache/httpd configuration. * What is the url to your test page and how did you protect it with Shibboleth? Is the test page on the WP server? If not, it should be! * Another way to check is to manually initiate a Shib login and redirect straight to the test page. You can create your own Shibbed url by changing the target ( it has to be encoded) – * [http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Ftest.php](http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Ftest.php) * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751734) * james, the url of my test page is: * [http:///secure2/test.php](http:///secure2/test.php) * (all of the files under the virtual directory secure2 are protected via shibboleth login). and yes, the test page is on the WP server. * the good news (or maybe is not a good news?) is that invoking the following url: * [http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Fsecure2%2Ftest.php](http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Fsecure2%2Ftest.php) * i am redirected to my remote idp, then i can logon and then i am redirected (** with no loop**) to the test.php page, which shows: * ``` Shib-Application-ID default Shib-Session-ID _16fec1f0e3311190547b751214760f27 Shib-Identity-Provider https:///gw/metadata Shib-Authentication-Instant 2011-05-18T15:02:58.012Z Shib-Authentication-Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-AuthnContext-Class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport CodiceFiscale LSGFRZ76R04H223G cognome LASAGNI nome FABRIZIO HTTP_SHIB_SESSION_ID _16fec1f0e3311190547b751214760f27 HTTP_SHIB_SESSION_INDEX HTTP_SHIB_IDENTITY_PROVIDER https:///gw/metadata HTTP_SHIB_AUTHENTICATION_METHOD urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport HTTP_SHIB_AUTHENTICATION_INSTANT 2011-05-18T15:02:58.012Z HTTP_SHIB_AUTHNCONTEXT_CLASS urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport HTTP_SHIB_AUTHNCONTEXT_DECL HTTP_SHIB_ASSERTION_COUNT HTTP_SHIB_APPLICATION_ID default ``` * now i am a little bit confused… now i should be logged, but, if i invoke the WP logon page, the loop starts, but, if i invoke one of the pages under the virtual directory (/secure2) i can see the page correclty and all of the session parameters( shibboleth ones included). * thanks again. ciao, fabrizio * [jkhongusc](https://wordpress.org/support/users/jkhongusc/) * (@jkhongusc) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751735) * fabrizio – My suggestion is to move your test page out of /secure2 and into the top (WP) directory, where wp-login.php resides; so the url would be [http:///test.php](http:///test.php) * Then see if you still get the Shib session headers: [http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Ftest.php](http:///Shibboleth.sso/Login?target=http%3A%2F%2F%2Ftest.php) * Are the hostnames for WP and the test.php url the same? Just making sure because I cannot think of any reason why WP login would not work. If all this doesnt work, I may need access to the urls (via email). jkhong @ usc.edu * James * [fabri76](https://wordpress.org/support/users/fabri76/) * (@fabri76) * [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751737) * james, i moved the test.php page into wp top directory. i am redirected to the logon page, but, after the login, i get this error: * ``` SWITCH Attribute Viewer Attributes Values No valid Shibboleth session! This web page is probably not protected with Shibboleth. Hint to Home Organization administrators: Have a look at your web server or Shibboleth configuration ``` * i am sending you an email with the details of the url and username/password for the tests. * thank you very much. ciao, fabrizio Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘[Plugin Shibboleth] loop wrong key checked’ is closed to new replies. * ![](https://ps.w.org/shibboleth/assets/icon-256x256.png?rev=3471676) * [Shibboleth](https://wordpress.org/plugins/shibboleth/) * [Frequently Asked Questions](https://wordpress.org/plugins/shibboleth/#faq) * [Support Threads](https://wordpress.org/support/plugin/shibboleth/) * [Active Topics](https://wordpress.org/support/plugin/shibboleth/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/shibboleth/unresolved/) * [Reviews](https://wordpress.org/support/plugin/shibboleth/reviews/) * 12 replies * 3 participants * Last reply from: [fabri76](https://wordpress.org/support/users/fabri76/) * Last activity: [15 years ago](https://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked/#post-1751737) * Status: not resolved