by Jonathan Lent
Like many developers, application maintainers, and system administrators at Stanford, I’ve been focussing a lot of time lately on migrating legacy web applications to using Shibboleth (from WebAuth). Also like many, I’ve found Alex Tayts’ article Migrating away from WebAuth: practical steps very useful during this process. However, as straight-forward as that writeup is, it doesn’t account for one thing: the Shibboleth SP software is not perfect.
During a recent deployment, I found that by simply enabling the shib2 Apache module on systems with Apache 2.4 running, applications using multiple AuthTypes (e.g. WebAuth and basic authentication) were suddenly presenting a 401 (Unauthorized) error message. This was before adding any directives to use Shibboleth as the AuthType.
It turns out that there is a known issue with the Shibboleth SP software versions 2.5.2 and above on servers running Apache 2.4. In cases where you use mixed methods of authentication, via the ‘valid-user’ and ‘user’ require directives, a slight tweak is necessary to keep authentication working as it should.
Specifically, you’ll want to override the default value of ShibCompatValidUser in an Apache configuration file. In my case, I simply created a file /etc/apache2/conf-available/shib2.conf with the following contents:
# Addresses a conflict when using Shibboleth in conjunction with # other auth modules by restoring "standard" Apache behavior when # processing the "valid-user" and "user" require rules ShibCompatValidUser On
Then, I enabled that configuration and reloaded Apache:
a2enconf shib2 systemctl reload apache2
After that, web applications continued to serve out content with the original AuthType directives working as expected, allowing me incrementally approach the move to Shibboleth, webapp by webapp.
There are likely other Shibboleth-isms that will be uncovered as more varieties of legacy web applications make the move to Shibboleth at Stanford. Hopefully we can remain collaborative in this endeavor!