Copy link to clipboard
Copied
I'm running into "Internal Server Error" when trying to authenticate using shibboleth with LDAP. Here's the ColdFusion error.
Element MYSITESHIBBOLETH.USERNAME is undefined in SESSION. The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 32
And here's the authenicate.cfm file line 32.
Okay, I got it to work. I need to use reReplace() to extract out the part that I need so that the cfif work and the session get set.
<cfset cgiReferer = reReplace(#cgi.httP_REFERER#, "[\?;].+", "\1") />
<!--- if shibboleth sent us here, remember the data it gave us--->
<!---<cfif cgi.http_referer eq shibboleth_url>--->
<cfif cgiReferer eq shibboleth_url>
<cfscript>
session.testShibboleth = StructNew();
session.testShibboleth.username=REReplace(http_header.headers.eppn, "@test.com","","ALL");
ses
...Copy link to clipboard
Copied
Add <cfdump var="#session.mysiteShibboleth#> on line 30 and see what result you get.
My guess is that the struct does not contain "username".
Cheers
Eddie
Copy link to clipboard
Copied
There is no dump on the browser but this is the error I got in the ColdFusion error log.
"Error","ajp-bio-8013-exec-1","01/19/16","12:47:32",,"Invalid CFML construct found on line 30 at column 44.ColdFusion was looking at the following text:<p>\""</p><p>The CFML compiler was processing:<ul><li>An expression that began on line 30, column 22.<br>The expression might be missing an ending #, for example, #expr instead of #expr#.<li>The tag attribute var, on line 30, column 17.<li>A cfdump tag beginning on line 30, column 10.<li>A cfdump tag beginning on line 30, column 10.</ul> The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 30 "
Copy link to clipboard
Copied
I failed to close the var attribute's quote in my post and the Web interface is not allowing me to edit the post. Check your syntax, it should be as follows:
<cfdump var="#session.mysiteShibboleth#">
Cheers
Eddie
Copy link to clipboard
Copied
I would still have the same error.
Copy link to clipboard
Copied
I believe that the issue is because you are using CFIF instead of CFSWITCH. In a CFIF conditional, the server processes ALL conditions, then inserts into the process whichever condition is correct. Even though the conditional is IF this exists, run this, if this doesn't exist, the code is still run, just not used.
Change your conditional to a CFSWITCH/CFCASE - the server will run only the correct code.
HTH,
^_^
BTW.. you don't need hashmarks if the variable isn't inside quotation marks as a string, and it's not being used for display. So..
<cfset session.mysiteshibboleth.username = "mysite" & #session.mysiteshibboleth.username#>
.. you can remove the hashmarks from this as the variable isn't being output and it's not part of a string. Now, the following would require hashmarks.
<cfset session.mysiteshibboleth.username = "mysite#session.mysiteshibboleth.username#">
Because the variable is contained within a string.
Using hashmarks in the first example can slow down processing.
HTH
Copy link to clipboard
Copied
2Charlie wrote:
I would still have the same error.
Please post your code as it is now.
Cheers
Eddie
Copy link to clipboard
Copied
Here is the whole thing in the authenticate.cfm file.
<cfparam name="Session.mysiteShibboleth" default="">
<cfparam name="http_header" default="#GetHttpRequestData()#">
<!--- determine what the referer should be from shibboleth depending on what server we're on--->
<cfif request.env eq "production">
<cfset shibboleth_url = "https://login.mysite.com/idp/profile/SAML2/Redirect/SSO">
<cfelse>
<cfset shibboleth_url = "https://logintest.mysite.com/idp/profile/SAML2/Redirect/SSO">
</cfif>
<!--- if shibboleth sent us here, remember the data it gave us--->
<cfif cgi.http_referer eq shibboleth_url>
<cfscript>
session.mysiteShibboleth = StructNew();
session.mysiteShibboleth.username=REReplace(http_header.headers.eppn, "@mysite.com","","ALL");
session.mysiteShibboleth.mail=http_header.headers.eppn;
session.mysiteShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));
session.mysiteShibboleth.isAuthenticated="true";
</cfscript>
</cfif>
<!---<cflog text = "CGI-log: #cgi.http_referer#" type = "information" file = "CGI-Log">--->
<!--- if we have shibboleth info, log in to commonspot with that--->
<cfif StructKeyExists(Session, "mysiteShibboleth") >
<!---<cflog text = "Session Name: #session.mysiteShibboleth#" type = "information" file = "Session">--->
<!--- //Checking if username is numeric --->
<cfif IsNumeric(Mid(session.mysiteShibboleth.username, 1, 1))>
<cfset session.mysiteShibboleth.username = "mysite" & #session.mysiteShibboleth.username#>
</cfif>
<cflog text = "User Name: #session.mysiteShibboleth.username#" type = "information" file = "userName">
<!--- // authorize the user --->
<cfmodule template="/commonspot/security/populate-user-struct.cfm"
defaultUserID = "#session.mysiteShibboleth.username#"
defaultGroupNames = "#session.mysiteShibboleth.groups#"
defaultGroupIDs = ""
additionalGroupNames = "#session.mysiteShibboleth.groups#">
<!--- if this user is not marked as a "licensed contributor", mark them as such.--->
<cfif session.user.LICENSEDCONTRIBUTOR eq 0>
<cftry>
<CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="5" THROWONTIMEOUT="Yes">
<cfquery DATASOURCE="#session.user.USERSDATASOURCE#" NAME="updateContributor">
UPDATE Users
SET LicensedContributor = '1'
WHERE ID = #session.user.id#
</cfquery>
<cfset session.user.LicensedContributor = "1">
</CFLOCK>
<cfcatch>
<cfoutput>Error in /authenticate.cfm: An error occurred while trying to log in. Please try again.</cfoutput>
</cfcatch>
</cftry>
</cfif>
<!---we are now logged in, so redirect somewhere--->
<cfif session.preAuthUrl eq "">
<!---not sure where we came from, so redirect to the homepage--->
<cflocation url="/" addtoken="no">
<cfelse>
<cfif session.preAuthUrl contains "login=1">
<cfif tmp eq "">
<cflocation url="/" addtoken="no">
<cfelse>
<cflocation url="#tmp#" addtoken="no">
</cfif>
<cfelse>
<cfset tmp=ReReplace(session.preAuthUrl, "^.+\.mysite\.com", "")>
<cflocation url="#request.author_url##tmp#" addtoken="no">
</cfif>
</cfif>
</cfif>
<!---go back to wherever we came from--->
<cflocation url="#cgi.http_referer#" addtoken="no">
Copy link to clipboard
Copied
Right now it seemed that cgi.http_referer do not equal shibboleth_url that is why the session was not set. In the cgi.http_referer it seemed there are a bunch of characters code are added to it as shown in a couple of my posts above. I have to figure out a way to extract those extra codes out.
Copy link to clipboard
Copied
Okay, so how do I remove everything after the SSO in the following cgi.http_referer?
Copy link to clipboard
Copied
Okay, I got it to work. I need to use reReplace() to extract out the part that I need so that the cfif work and the session get set.
<cfset cgiReferer = reReplace(#cgi.httP_REFERER#, "[\?;].+", "\1") />
<!--- if shibboleth sent us here, remember the data it gave us--->
<!---<cfif cgi.http_referer eq shibboleth_url>--->
<cfif cgiReferer eq shibboleth_url>
<cfscript>
session.testShibboleth = StructNew();
session.testShibboleth.username=REReplace(http_header.headers.eppn, "@test.com","","ALL");
session.testShibboleth.mail=http_header.headers.eppn;
session.testShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));
session.testShibboleth.isAuthenticated="true";
</cfscript>
</cfif>