I've been developing a Symfony app (learning Symfony with the goal of replacing an existing "old school" PHP script with it) and am having an issue with putting it "behind" our Shibboleth authentication.
Why do that? For this app I need $_SERVER['REMOTE_USER']. The app doesn't have local accounts, the user doesn't log into the app, but, like many resources, we protect them with some form of authentication.
I have two sites - virtual hosts running on the same physical server. (CentOS 7). The first site has the following in its .htaccess file:
authtype shibboleth
ShibRequestSetting requireSession 1
require valid-user
I have a "phpinfo.php" file in there, too, and can run that script and, after the Shibboleth authentication step, get the output which includes the correct value of REMOTE_USER.
The other virtual host is set up as a Symfony 3.1 app. I've added those three lines to the top of its ".htaccess" file - but after going through the Shibboleth authentication step, the browser gets into a loop and goes no farther. (In Chrome, the 'favicon' is replaced with a looping arrow, and it never stops turning.)
If I hit and then view the source of this still-empty page, I see the following error message:
Error Message: Error decoding authentication request message
I'm not sure how to start to resolve this issue, and was hoping that someone has seen this and knows how to help.
Thanks.
Best,
Stephen
If I understand well, you are trying to make the Service Provider part in Symfony and you already have an IDP working with Shibboleth.
In my case I had also a similar problem and it was because after the Assertion the apache SP was returning to the root URL. I learnt after reading a lot of documentation that if this is not set correctly you can add an attribute in the shibbolet2.xml configuration called homeURL:
<ApplicationDefaults entityID="https://sso/saml2/idp/metadata.php"
REMOTE_USER="mail"
homeURL="https://symfonyApp/redirect/after/login">
Try it out and restart the shib daemon: /etc/init.d/shibd restart
It may be another as well. But it sounds to me that there is some misconfiguration in your SP side.
Related
I am using the magemonkey extension from Ebizmart and when i save my config in the admin i get the following error:
Could not add Webhook "http://example.com/monkey/webhook/index/wkey//" for list "Test Mailing List", error code 508, We couldn't connect to the specified the URL. Please double check and try again.
I did some digging and arrived at the conclusion (duh) that mailchimp cannot see my local environment so it's unable to add the webhook. Is it possible for me to configure this locally for testing purposes or do I have to wait until the site is live (sounds pretty strange to me)?
UPDATE: I reached out to Mailchimp and got the following response. Seems like they won't add a host entry to recognize my test environment. The only way to accomplish this would be to use a handshake key.
Thanks for reaching out to MailChimp support. I can certainly understand the concern here and will be happy to help.
Unfortunately, any webhooks being used must be publically available and there would not be a way to add a host entry in MailChimp so that the URL can be used.
If your testing environement allows for HandShake keys, one options might be to add that on to the url: (can't add more than 2 links)
At MailChimp we definitely appreciate testing and encourage it with our users and I will be sure to pass this feedback along to our developers so that testing in closed environments might be a bit easier. I also wanted to provide a link to our feedback form in case you wanted to leave some feedback for our developers directly: (can't add more than 2 links)
If you have any additional questions or concerns, feel free to reach back out and we will be happy to help.
Thank you,
Mikey
Use https://ngrok.com/, available for all platforms.
It allows you to tunnel requests to your local dev machine. It's very easy to use, just download and run:
ngrok http 80
Then it'll show you the forwarding URL (where xxx is randomly generated):
Forwarding https://xxxxxxxx.ngrok.io -> localhost:80
Use https://xxxxxxxx.ngrok.io as the begining of your webhook callback URL.
Once it's running, a web interface is available at http://127.0.0.1:4040 that shows metrics and let's you replay requests.
I have a php website using symfony2 framework .I wanted to know what would be the best method to trace incoming request on production server in order to troubleshoot client issues .The only way that i know of is using php log file in C:Windows/Temp directory .Is there any other way of tracing request and troubleshooting error with respect to such request .all the request to website are https not sure fiddler can help me in this scenario .Please let me know your feedback on the same .
Thanks
There are more than on way to log client requests.
First, Apache will log incoming requests in the /var/log/www/access.log
Secondly, Symfony has its own logging enabled by default available in app/logs/prod.log
Thirdly, you can implement client side logging and logging with monolog , example : Javascript errors => send ajax request to log endpoint => log with monolog action
Now, on what type of OS will your site run ? You speak about Windows Temp directory, will your site be hosted on Windows or UNIX servers ? configurations and available tools will then be different.
I am currently working on some project where I plan to do it via GrayLog2 (as #Christophe suggested in a 3rd solution).
I ran some local trials and it seems more than capable of logging just anything.
Im using Filemaker API in PHP to retrieve the records from Filemaker Pro 11 Advance Database.
But its showing error:
Error: Communication Error: (22) The requested URL returned error: 404 - This can be due to an invalid username or password, or if the FMPHP privilege is not enabled for that user.
Though I have set all Extend Privileges and gave it to user.
Please anyone can help me...
Although you mention you've taken care of this, whenever I've come across this problem it's been because the user being used to log in with PHP doesn't have the fmphp extended privilege set.
First know which user you're trying to log in as in PHP. Then, in FileMaker choose File>Manage>Security from the menu bar. Take a look at the Accounts tab and note the privilege set assigned to your web user. Click the Privilege Sets tab and double-click on this privilege set in the list. In the Extended Privilege list on the bottom right make sure there is a checkbox next to "Access via PHP Web Publishing".
While you're there, double-check the password you're working with. It has to be either you're not working with the right extended privilege set or you're not logging in with the right credentials.
I am pretty sure you must have resolved this by now but if you have not here is another suggestion. I had the same issue today and had all the extended privileges set.
The issue was with FileMaker API. Make sure the Php FM API being used is of the same version as the FileMaker server in which your db is hosted. FM Server 11 will require API released for FMS 11. I was using the last standalone API released for FMS 9 and hence it did not work. On updating php to FMAPI 13 I was able to connect and get the layouts.
The FileMaker API for PHP package was included as a .zip file in the following location:
For IIS (Windows): drive:\Program Files\FileMaker\FileMaker Server\Web Publishing\FM_API_for_PHP_Standalone.zip
For Apache (Mac OS): /Library/FileMaker Server/Web Publishing/FM_API_for_PHP_Standalone.zip
Double check your connection params, it should look something like this...
// filemaker server connection param
$connection =& new FileMaker('DBName', 'http://www.domain.com');
$connection->setProperty('username', 'youruser');
$connection->setProperty('password', 'yourpass');
First, check if the PHP API is installed and running.
On the server, go to http://localhost - You will see a screen telling the PHP API is running. If you see something else, you probably have to dig into the installation of the PHP API - possibly redeploy the server and checking off the PHP API. See that the server passes the web-server test.
Next, Check that the user that logs on to the server has the right privilege set. We usually create a second account for the PHP API, where the privileges are set correctly to MODIFY records, and VIEW Layouts, and of course have the fmphp attribute set.
If you still cannot connect, try from the web-server to do a
wget http://fmhost_ip/
cat index.html
see that you get something that can resemble a FileMaker API running page (look at the HTML code output).
Make sure you get the "FileMaker Database Server Website" landing page on the url (without the /fmi/... address), My issue was using another domain/sub-domain that IIS was using for another website.
I know this is really old. But in addition to the ISAPI fix. I needed to add a URL rewrite rule. The pattern needed to be:
^fmi/(.*)
And the rewrite URL needed to be:
http://localhost:16020/fmi/{R:1}
With those in place, the PHP API started working again.
after a few hours trying i found a solution to comunicate the php with the IIS... on your IIS manager, just need to add to your default web site, in ISAPI Filters, and add this executable... "C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\web-server-support\iis\isapi_redirect.dll" - with anuy name
I have always developed my projects using MAMP locally and once done simply uploaded everything to a live server. However, I'm wanting to integrate some FB functionality in my current project and I believe I'm correct in saying that it is not possible to fully test FB integration locally. My problem is I don't want to release the project I'm working on until it's finished (or at least nearly finished!) by placing it on a live server. I don't even want people to see a login screen or anything. Is there a way I can upload everything to my domain for testing purposes but prevent anyone apart from me from accessing the site?
It is possible to test almost everything (with quite rare exclusions) related to FB locally.
The only exceptions I can recall are:
Attachments to stream messages
Subscriptions
Btw, if there are another issues I forgot and you're experiencing - you can create test domain with such .htaccess in its root:
Order deny,allow
Deny from all
AuthName "Password"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
Allow from 69.63.176.0/20
Satisfy Any
Where 69.63.176.0/20 equals to 69.63.176.0 - 69.63.191.255 and belongs to facebook and .htpasswd is a password file created with console utility htpasswd
htpasswd -c /path/to/.htpasswd musoNic80 // and enter password after
With such .htaccess everyone except of someone with facebook IP will be required to enter valid login/pass trough basic http auth.
Also, if you have dynamic but your own IP (given to only you once you logged in your pppoe (or whatever you use) session, and changes after you re-logged in) - you could use http://no-ip.org and have your local host to be shared outside, and available for facebook thus.
It's super simple, check out localtunnel and plug in the url to facebook. This will expose your computer to the net in a very limited way and will shut the tunnel when you chose to.
http://progrium.com/localtunnel/
I'm not sure if this works on Windows but I'm sure there's something similar.
I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last
https://metacpan.org/pod/Apache2::AuthenNTLM
Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?
I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers.
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?
UPDATE
Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.
I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.
All you need is the mod_auth_sspi Apache module.
Sample configuration:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
I had a similar problem which I needed to solve for my organization.
I was looking into using adLDAP.
There is some documentation on the site for achieving seamless authentication with Active Directory too.
One option for you is to use CAS (central authentication service).
It has php client library.
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
You would require Apache maven 2 though.
For IIS/PHP FCGI, You need to send out an unauthorized header:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.