Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients -- Fall 2013 corrections
Overview
SAML 2.0 is the lingua franca for Authentication messages passed between participants in the Bamboo Trust Federation. In phase one of the Bamboo Technology Project, the Bamboo-deployed participants were enabled to 'speak SAML' through installation of Shibboleth SP (Shibboleth Service Provider). Institutional Identity Providers tested during the project included Shibboleth installations at U. Wisconsin - Madison and UC Berkeley. Social media identity providers tested during the project were mediated by a Social/SAML gateway, described on the page Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients -- Fall 2013 corrections.
This wiki page describes in a focused recipe the installation and configuration of Shibboleth SP for participation in the Bamboo Trust Federation; authoritative documentation on the Shibboleth web site is referenced. The recipe assumes that installation is being performed on a CentOS 5/6 Linux server; minor differences will apply when installing atop a different operating system.
Installation of Shibboleth SP
Follow the instructions at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
Begin at the section "Installing via Yum"
These instructions assume that the Apache Web Server (httpd) is already installed on the server.
1. Copy CentOS 5/6 yum repo file contents from http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo then paste into and save to new file /etc/yum.repos.d/security-shibboleth.repo
# cat /etc/yum.repos.d/security-shibboleth.repo [security_shibboleth] name=Shibboleth (CentOS_CentOS-6) type=rpm-md baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/ gpgcheck=1 gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key enabled=1
2. Install Shibboleth SP
yum install shibboleth.x86_64
3. Follow "After Installation" instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
4. Enable Shibboleth (shibd) to add entries to native.log, by giving apache ownership of the httpd directory in /var/log:
chown apache /var/log/httpd
shibd should now be installed, logging and ready for use:
# /sbin/service shibd start Starting shibd (via systemctl): [ OK ]
5. Create file containing the installation-time-generated metadata
[root@bsp-test userx]# wget --no-check-certificate https://127.0.0.1/Shibboleth.sso/Metadata --2012-06-01 09:30:29-- https://127.0.0.1/Shibboleth.sso/Metadata Connecting to 127.0.0.1:443... connected. WARNING: certificate common name "*.projectbamboo.org" doesn't match requested host name "127.0.0.1". HTTP request sent, awaiting response... 200 OK Length: 4228 (4.1K) [application/samlmetadata+xml] Saving to: "Metadata" Progress bar 100%[========================================================================>] 4,228 --.-K/s in 0s
6. Edit the auto-generated metadata
... substituting appropriate filenames, hostname, URLs, etc.
<Host name="sp.example.org"> ...changed to... <Host name="bsp-test.projectbamboo.org">
<ApplicationDefaults entityID=https://sp.example.org/shibboleth> ...changed to... <ApplicationDefaults entityID=https://bsp-test.projectbamboo.org/shibboleth-sp>
<entityID="https://idp.example.org/shibboleth"> ...changed to... <entityID="https://logintest.wisc.edu/idp/shibboleth">
<MetadataProvider type="XML" uri=http://federation.org/federation-metadata.xml> ...changed to... <MetadataProvider type="XML" uri= http://bsp-int.projectbamboo.org/metadata/ProjectBambooSaml2Metadata.xml >
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> ...changed to... <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> --> <!-- <MetadataFilter type="Signature" certificate="fedsigner.pem"/> -->
7. Send the edited metadata file to the appropriate person or list through which the master Bamboo Trust Federation metadata file is maintained.
As Project Bamboo no longer maintains a Trust Federation, specific addresses can't be provided here. However, a copy of the master metadata file in use during the active period of the Bamboo Technology Project – ProjectBambooSaml2Metadata.xml – is versioned in the project's code repository, at the following URL:
This may or may not prove a helpful reference.
Configuration of Shibboleth SP
For next steps, see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
The Shibboleth configuration files are all found in /etc/shibboleth:
# ls -la /etc/shibboleth total 304 drwxr-xr-x 2 root root 4096 Jun 1 09:10 . drwxr-xr-x 75 root root 4096 Jun 1 09:10 .. -rw-r--r-- 1 root root 827 Aug 6 2011 accessError.html -rw-r--r-- 1 root root 827 Aug 6 2011 accessError.html.dist -rw-r--r-- 1 root root 1122 Aug 6 2011 apache22.config -rw-r--r-- 1 root root 1122 Aug 6 2011 apache2.config -rw-r--r-- 1 root root 1446 Aug 6 2011 apache.config -rw-r--r-- 1 root root 8049 Aug 6 2011 attribute-map.xml -rw-r--r-- 1 root root 8049 Aug 6 2011 attribute-map.xml.dist -rw-r--r-- 1 root root 3055 Aug 6 2011 attribute-policy.xml -rw-r--r-- 1 root root 3055 Aug 6 2011 attribute-policy.xml.dist -rw-r--r-- 1 root root 1895 Aug 6 2011 bindingTemplate.html -rw-r--r-- 1 root root 1895 Aug 6 2011 bindingTemplate.html.dist -rw-r--r-- 1 root root 1171 Aug 6 2011 console.logger -rw-r--r-- 1 root root 1171 Aug 6 2011 console.logger.dist -rw-r--r-- 1 root root 1514 Aug 6 2011 discoveryTemplate.html -rw-r--r-- 1 root root 1514 Aug 6 2011 discoveryTemplate.html.dist -rw-r--r-- 1 root root 10140 Aug 6 2011 example-metadata.xml -rw-r--r-- 1 root root 10140 Aug 6 2011 example-metadata.xml.dist -rw-r--r-- 1 root root 14092 Aug 6 2011 example-shibboleth2.xml -rw-r--r-- 1 root root 14092 Aug 6 2011 example-shibboleth2.xml.dist -rw-r--r-- 1 root root 832 Aug 6 2011 globalLogout.html -rw-r--r-- 1 root root 832 Aug 6 2011 globalLogout.html.dist -rwxr-xr-x 1 root root 2040 Aug 6 2011 keygen.sh -rw-r--r-- 1 root root 627 Aug 6 2011 localLogout.html -rw-r--r-- 1 root root 627 Aug 6 2011 localLogout.html.dist -rw-r--r-- 1 root root 1102 Aug 6 2011 metadataError.html -rw-r--r-- 1 root root 1102 Aug 6 2011 metadataError.html.dist -rwxr-xr-x 1 root root 7752 Aug 6 2011 metagen.sh -rw-r--r-- 1 root root 1710 Aug 6 2011 native.logger -rw-r--r-- 1 root root 1710 Aug 6 2011 native.logger.dist -rw-r--r-- 1 root root 643 Aug 6 2011 partialLogout.html -rw-r--r-- 1 root root 643 Aug 6 2011 partialLogout.html.dist -rw-r--r-- 1 root root 1309 Aug 6 2011 postTemplate.html -rw-r--r-- 1 root root 1309 Aug 6 2011 postTemplate.html.dist -rw-r--r-- 1 root root 2318 Aug 6 2011 protocols.xml -rw-r--r-- 1 root root 2318 Aug 6 2011 protocols.xml.dist -rw-r--r-- 1 root root 1347 Aug 6 2011 security-policy.xml -rw-r--r-- 1 root root 1347 Aug 6 2011 security-policy.xml.dist -rw-r--r-- 1 root root 1218 Aug 6 2011 sessionError.html -rw-r--r-- 1 root root 1218 Aug 6 2011 sessionError.html.dist -rw-r--r-- 1 root root 5865 Aug 6 2011 shibboleth2.xml -rw-r--r-- 1 root root 5865 Aug 6 2011 shibboleth2.xml.dist -rw-r--r-- 1 root root 2371 Aug 6 2011 shibd-debian -rw-r--r-- 1 root root 2682 Aug 6 2011 shibd.logger -rw-r--r-- 1 root root 2682 Aug 6 2011 shibd.logger.dist -rw-r--r-- 1 root root 673 Aug 6 2011 shibd-osx.plist -rw-r--r-- 1 root root 1626 Aug 6 2011 shibd-redhat -rw-r--r-- 1 root root 3349 Aug 6 2011 shibd-suse -rw-r--r-- 1 root root 1131 Jun 1 09:10 sp-cert.pem -rw------- 1 root root 1704 Jun 1 09:10 sp-key.pem -rw-r--r-- 1 root root 860 Aug 6 2011 sslError.html -rw-r--r-- 1 root root 860 Aug 6 2011 sslError.html.dist -rw-r--r-- 1 root root 1252 Aug 6 2011 syslog.logger -rw-r--r-- 1 root root 1252 Aug 6 2011 syslog.logger.dist -rw-r--r-- 1 root root 23671 Aug 6 2011 upgrade.xsl
1. Generate a self-signed x509certificate that the Shibboleth SP will use to sign protocol messages
[root@bsp-test userx]# openssl req -x509 -nodes -days 3660 -newkey rsa:2048 -keyout userx.key -out userx.pem Generating a 2048 bit RSA private key .........................................................+++ ......................................................................................................................................+++ writing new private key to 'khazelton1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Wisconsin Locality Name (eg, city) []:Madison Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organization Y Organizational Unit Name (eg, section) []:Security Common Name (eg, YOUR name) []:User X Email Address []:userx@gmail.com
2. Check the certificate contents
[root@bsp-test userx]# openssl x509 -text -in /etc/shibboleth/sp-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 8d:15:6f:fa:83:f5:2c:83 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=bsp-test.projectbamboo.org Validity Not Before: Jun 1 13:10:37 2012 GMT Not After : May 30 13:10:37 2022 GMT Subject: CN=bsp-test.projectbamboo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:64:78:cc:f9:f1:6e:bc:51:56:f9:c2:bd:95: fc:90:8c:f8:df:9e:f2:f2:c1:7e:2f:59:ef:23:7c: ce:86:5e:83:d8:4d:8e:af:bd:3f:13:ab:fc:a3:14: 0d:69:b2:98:66:1d:f8:09:e6:c6:f8:25:a5:e0:1c: 17:21:c2:5f:ce:97:c9:e9:20:22:9d:bd:4d:87:0c: 3c:a4:16:71:c9:cf:43:fd:b4:1d:ed:ad:94:1d:d7: b4:68:ac:df:d1:0d:24:d0:bd:34:a8:c1:c1:be:71: 3a:3f:e2:01:8a:a5:ed:4d:b8:32:c7:d5:7b:2a:1c: b7:4d:a2:26:50:6e:b5:8b:4b:c8:47:1a:b1:99:fa: bf:70:82:83:03:3d:a6:71:43:f5:c0:63:9e:25:44: 0e:f2:cf:0a:87:df:f4:65:7e:26:8e:0e:29:33:56: 0f:86:36:10:b0:f2:7f:ea:3e:bb:09:c3:20:a2:56: c7:12:d5:4e:b4:73:32:b5:a3:39:91:5a:68:5c:33: 2a:da:4b:d3:96:2a:29:6c:d2:31:99:32:43:b8:17: 06:21:ab:f6:e2:da:2a:d9:23:f6:65:11:73:55:b1: 2e:1a:3d:8c:33:2f:10:15:dd:0b:5e:22:1c:97:a7: 7c:f6:4e:1d:df:2e:2b:95:04:37:63:08:5b:24:e2: c0:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:bsp-test.projectbamboo.org X509v3 Subject Key Identifier: 11:7F:A2:BD:D7:00:1B:DA:19:18:A6:7F:E3:92:27:63:E7:81:88:C7 Signature Algorithm: sha1WithRSAEncryption 0b:13:d9:31:3c:b7:86:87:48:6a:21:70:88:a5:74:7b:41:e7:19:e8:95:07:47:0d:ab:25:c6:ce:79:cb:45:4b:a6:46:c2:62:be:be:1b:bb:f1:45:5a:b7:b2:07:b4:3e:6c:9d:28:c8:35:7f:71:af:2a:4f:4d:dd:ef:b4:07:b2:e3:4c:b9:a2:47:e4:86:15:34:20:39:8b:0a:f7:1f:a4:e3:fa:4f:da:1a:7f:71:75:62:17:92:ae:7d:dc:3f:bf:cb:27:e3:89:bf:a3:e8:9e:ce:35:4c:6c:9e:30:5b:ec:31:68:c3:57:48:81:9a:bf:53:f0:5d:d6:59:72:b8:8a:80:2a:79:be:66:2e:03:c9:c3:ca:b1:8e:7a:72:1d:7c:89:e6:91:34:f6:91:48:6f:62:2b:24:f7:1b:b3:8c:3b:fc:32:c8:3c:66:78:b3:3e:28:11:f6:f1:ff:98:9a:cf:da:1e:8c:5a:77:59:00:fe:36:f4:4f:86:d1:df:9c:96:5a:50:04:59:70:f9:f9:62:9a:23:e8:2c:77:ba:96:7c:df:39:94:84:df:ab:b2:a8:fb:47:51:67:05:1a:da:93:63:04:6d:67:b5:e1:41:0b:18:2f:44:9f:2a:80:e1:9b:5a:16:84:d8:b1:17:52:b5:49:cd:1f:38:35:35:90:fb -----BEGIN CERTIFICATE----- MIIDFTCCAf2gAwIBAgIJAI0Vb/qD9SyDMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNVBAMTGmJzcC10ZXN0LnByb2plY3RiYW1ib28ub3JnMB4XDTEyMDYwMTEzMTAzN1oXDTIyMDUzMDEzMTAzN1owJTEjMCEGA1UEAxMaYnNwLXRlc3QucHJvamVjdGJhbWJv b5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIZHjM+fFuvFFW +cK9lfyQjPjfnvLywX4vWe8jfM6GXoPYTY6vvT8Tq/yjFA1psphmHfgJ5sb4JaXg HBchwl/Ol8npICKdvU2HDDykFnHJz0P9tB3trZQd17RorN/RDSTQvTSowcG+cTo/ 4gGKpe1NuDLH1XsqHLdNoiZQbrWLS8hHGrGZ+r9wgoMDPaZxQ/XAY54lRA7yzwqH 3/RlfiaODikzVg+GNhCw8n/qPrsJwyCiVscS1U60czK1ozmRWmhcMyraS9OWKils 0jGZMkO4FwYhq/bi2irZI/ZlEXNVsS4aPYwzLxAV3QteIhyXp3z2Th3fLiuVBDdj CFsk4sCxAgMBAAGjSDBGMCUGA1UdEQQeMByCGmJzcC10ZXN0LnByb2plY3RiYW1i b28ub3JnMB0GA1UdDgQWBBQRf6K91wAb2hkYpn/jkidj54GIxzANBgkqhkiG9w0B AQUFAAOCAQEACxPZMTy3hodIaiFwiKV0e0HnGeiVB0cNqyXGznnLRUumRsJivr4b u/FFWreyB7Q+bJ0oyDV/ca8qT03d77QHsuNMuaJH5IYVNCA5iwr3H6Tj+k/aGn9x dWIXkq593D+/yyfjib+j6J7ONUxsnjBb7DFow1dIgZq/U/Bd1llyuIqAKnm+Zi4D ycPKsY56ch18ieaRNPaRSG9iKyT3G7OMO/wyyDxmeLM+KBH28f+Yms/aHoxad1kA /jb0T4bR35yWWlAEWXD5+WKaI+gsd7qWfN85lITfq7Ko+0dRZwUa2pNjBG1nteFB CxgvRJ8qgOGbWhaE2LEXUrVJzR84NTWQ+w== -----END CERTIFICATE-----
3. The primary configuration of shibboleth is in shibboleth2.xml
Start with example.shibboleth2.xml and make following edits (substituting appropriate filenames, hostname, URLs, etc.):
<Host name="sp.example.org"> …changed to… <Host name="bsp-test.projectbamboo.org">
<ApplicationDefaults entityID=https://sp.example.org/shibboleth> …changed to… <ApplicationDefaults entityID="https://bsp-test.projectbamboo.org/shibboleth-sp">
<entityID="https://idp.example.org/shibboleth"> …changed to… <entityID="https://idp.foo.edu/idp/shibboleth">
<Errors supportContact="root@localhost"> …changed to… <Errors supportContact="userx@gmail.com">
<MetadataProvider type="XML" uri=http://federation.org/federation-metadata.xml> …changed to… <MetadataProvider type="XML" uri="http://metazome.info/metadata/ProjectBambooSaml2Metadata.xml">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> …changed to… <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> --> <!-- <MetadataFilter type="Signature" certificate="fedsigner.pem"/> -->
Initial testing of Shibboleth SP
1. Add support for PHP so test routines can be run
yum install php
2. Edit /etc/httpd/conf/httpd.conf to add support for PHP
Add lines in three places:
(a) In the LoadModules section:
LoadModule php5_module modules/libphp5.so AddHandler php5-script .php
(b) In the DirectoryIndex section:
DirectoryIndex index.html index.php index.html.var
(c) In the AddType section:
AddType text/html .php # PHP Syntax Coloring # (optional but useful for reading PHP source for debugging):
3. Add an index.php to a directory under Apache Web Server's DocumentRoot
Assumption: the directory secure is created under Apache Web Server's DocumentRoot, and is reachable over https. A file index.php is to be written to that directory.
The contents of index.php should be something like the following (with URL changes as appropriate):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>bsp-test.projectbamboo.org</title> // Install-time version </head> <body> <p>Host bsp-test.projectbamboo.org on <?php echo date("Y/m/d") . "<br />"; ?> </p> <?php phpinfo(); ?> </body> </html>
Note the invocation of phpinfo().
4. Browse to the location of index.php
E.g.,
https://bsp-test.projectbamboo.org/secure
The browser is redirected to testshib IdP and after the user autheticates, phpinfo displays Apache environment variables showing successful population of shib-* attributes:
Apache Environmentariable Value Shib-Application-ID default Shib-Session-ID _6204693b1baadd4d44c923bc0328ce51 Shib-Identity-Provider https://logintest.wisc.edu/idp/shibboleth Shib-Authentication-Instant 2012-06-01T17:26:19.966Z Shib-Authentication-Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-AuthnContext-Class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-Session-Index c1de003c14a3d2082aea4964abf434d751326b31b420bfe12a8bf87421abcbe8 persistent-id https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk=;https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk= HTTPS on SSL_TLS_SNI bsp-test.projectbamboo.org SSL_SERVER_S_DN_O *.projectbamboo.org SSL_SERVER_S_DN_OU Domain Control Validated SSL_SERVER_S_DN_CN *.projectbamboo.org SSL_SERVER_I_DN_C US SSL_SERVER_I_DN_ST Arizona SSL_SERVER_I_DN_L Scottsdale SSL_SERVER_I_DN_O GoDaddy.com, Inc. SSL_SERVER_I_DN_OU http://certificates.godaddy.com/repository SSL_SERVER_I_DN_CN Go Daddy Secure Certification Authority SSL_VERSION_INTERFACE mod_ssl/2.2.22 SSL_VERSION_LIBRARY OpenSSL/1.0.0g-fips SSL_PROTOCOL TLSv1 SSL_SECURE_RENEG true SSL_COMPRESS_METHOD DEFLATE SSL_CIPHER DHE-RSA-CAMELLIA256-SHA SSL_CIPHER_EXPORT false SSL_CIPHER_USEKEYSIZE 256 SSL_CIPHER_ALGKEYSIZE 256 SSL_CLIENT_VERIFY NONE SSL_SERVER_M_VERSION 3 SSL_SERVER_M_SERIAL 0437AC49ECE525 SSL_SERVER_V_START Mar 7 00:34:44 2012 GMT SSL_SERVER_V_END Apr 19 01:06:11 2013 GMT SSL_SERVER_S_DN /O=*.projectbamboo.org/OU=Domain Control Validated/CN=*.projectbamboo.org SSL_SERVER_I_DN /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 SSL_SERVER_A_KEY rsaEncryption SSL_SERVER_A_SIG sha1WithRSAEncryption SSL_SESSION_ID 3CB6C7DCE97863877E9FBEE237746AE8F9FF1ABB4F466679A4D7F2548C524320 HTTP_HOST bsp-test.projectbamboo.org HTTP_CONNECTION keep-alive HTTP_CACHE_CONTROL max-age=0 HTTP_USER_AGENT Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.21 Safari/536.11 HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_REFERER https://logintest.wisc.edu/idp/profile/SAML2/Redirect/SSO HTTP_ACCEPT_ENCODING gzip,deflate,sdch HTTP_ACCEPT_LANGUAGE en-US,en;q=0.8 HTTP_ACCEPT_CHARSET UTF-8,*;q=0.5 HTTP_COOKIE _shibsession_64656661756c7468747470733a2f2f6273702d746573742e70726f6a65637462616d626f6f2e6f72672f73686962626f6c6574682d7370=_6204693b1baadd4d44c923bc0328ce51 PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SERVER_SIGNATURE <address>Apache/2.2.22 (Fedora) Server at bsp-test.projectbamboo.org Port 443</address> SERVER_SOFTWARE Apache/2.2.22 (Fedora) SERVER_NAME bsp-test.projectbamboo.org SERVER_ADDR 74.207.248.136 SERVER_PORT 443 REMOTE_ADDR 128.104.17.180 DOCUMENT_ROOT /var/www/html SERVER_ADMIN root@localhost SCRIPT_FILENAME /var/www/html/secure/index.php REMOTE_PORT 50658 REMOTE_USER https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk= AUTH_TYPE shibboleth GATEWAY_INTERFACE CGI/1.1 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD GET QUERY_STRING no value REQUEST_URI /secure/ SCRIPT_NAME /secure/index.php