Navigation:
Documentation
Archive
Page Tree:
This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.
SAML 2.0 is the lingua franca for Authentication messages passed between participants in the Bamboo Trust Federation. In phase one of the Bamboo Technology Project, the Bamboo-deployed participants were enabled to 'speak SAML' through installation of Shibboleth SP (Shibboleth Service Provider). Institutional Identity Providers tested during the project included Shibboleth installations at U. Wisconsin - Madison and UC Berkeley. Social media identity providers tested during the project were mediated by a Social/SAML gateway, described on the page Social/SAML Gateway to enable social media identity provision.
This wiki page describes in a focused recipe the installation and configuration of Shibboleth SP for participation in the Bamboo Trust Federation; authoritative documentation on the Shibboleth web site is referenced. The recipe assumes that installation is being performed on a CentOS 5/6 Linux server; minor differences will apply when installing atop a different operating system.
Follow the instructions at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
Begin at the section "Installing via Yum"
These instructions assume that the Apache Web Server (httpd) is already installed on the server.
1. Copy CentOS 5/6 yum repo file contents from http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo then paste into and save to new file /etc/yum.repos.d/security-shibboleth.repo
# cat /etc/yum.repos.d/security-shibboleth.repo [security_shibboleth] name=Shibboleth (CentOS_CentOS-6) type=rpm-md baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/ gpgcheck=1 gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key enabled=1
2. Install Shibboleth SP
yum install shibboleth.x86_64
3. Follow "After Installation" instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
4. Enable Shibboleth (shibd) to add entries to native.log, by giving apache ownership of the httpd directory in /var/log:
chown apache /var/log/httpd
shibd should now be installed, logging and ready for use:
# /sbin/service shibd start Starting shibd (via systemctl): [ OK ]
5. Create file containing the installation-time-generated metadata
[root@bsp-test userx]# wget --no-check-certificate https://127.0.0.1/Shibboleth.sso/Metadata --2012-06-01 09:30:29-- https://127.0.0.1/Shibboleth.sso/Metadata Connecting to 127.0.0.1:443... connected. WARNING: certificate common name "*.projectbamboo.org" doesn't match requested host name "127.0.0.1". HTTP request sent, awaiting response... 200 OK Length: 4228 (4.1K) [application/samlmetadata+xml] Saving to: "Metadata" Progress bar 100%[========================================================================>] 4,228 --.-K/s in 0s
6. Edit the auto-generated metadata
... substituting appropriate filenames, hostname, URLs, etc.
<Host name="sp.example.org"> ...changed to... <Host name="bsp-test.projectbamboo.org">
<ApplicationDefaults entityID=https://sp.example.org/shibboleth> ...changed to... <ApplicationDefaults entityID=https://bsp-test.projectbamboo.org/shibboleth-sp>
<entityID="https://idp.example.org/shibboleth"> ...changed to... <entityID="https://logintest.wisc.edu/idp/shibboleth">
<MetadataProvider type="XML" uri=http://federation.org/federation-metadata.xml> ...changed to... <MetadataProvider type="XML" uri= http://bsp-int.projectbamboo.org/metadata/ProjectBambooSaml2Metadata.xml >
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> ...changed to... <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> --> <!-- <MetadataFilter type="Signature" certificate="fedsigner.pem"/> -->
7. Send the edited metadata file to the appropriate person or list through which the master Bamboo Trust Federation metadata file is maintained.
As Project Bamboo no longer maintains a Trust Federation, specific addresses can't be provided here. However, a copy of the master metadata file in use during the active period of the Bamboo Technology Project – ProjectBambooSaml2Metadata.xml – is versioned in the project's code repository, at the following URL:
This may or may not prove a helpful reference.
For next steps, see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
The Shibboleth configuration files are all found in /etc/shibboleth:
# ls -la /etc/shibboleth total 304 drwxr-xr-x 2 root root 4096 Jun 1 09:10 . drwxr-xr-x 75 root root 4096 Jun 1 09:10 .. -rw-r--r-- 1 root root 827 Aug 6 2011 accessError.html -rw-r--r-- 1 root root 827 Aug 6 2011 accessError.html.dist -rw-r--r-- 1 root root 1122 Aug 6 2011 apache22.config -rw-r--r-- 1 root root 1122 Aug 6 2011 apache2.config -rw-r--r-- 1 root root 1446 Aug 6 2011 apache.config -rw-r--r-- 1 root root 8049 Aug 6 2011 attribute-map.xml -rw-r--r-- 1 root root 8049 Aug 6 2011 attribute-map.xml.dist -rw-r--r-- 1 root root 3055 Aug 6 2011 attribute-policy.xml -rw-r--r-- 1 root root 3055 Aug 6 2011 attribute-policy.xml.dist -rw-r--r-- 1 root root 1895 Aug 6 2011 bindingTemplate.html -rw-r--r-- 1 root root 1895 Aug 6 2011 bindingTemplate.html.dist -rw-r--r-- 1 root root 1171 Aug 6 2011 console.logger -rw-r--r-- 1 root root 1171 Aug 6 2011 console.logger.dist -rw-r--r-- 1 root root 1514 Aug 6 2011 discoveryTemplate.html -rw-r--r-- 1 root root 1514 Aug 6 2011 discoveryTemplate.html.dist -rw-r--r-- 1 root root 10140 Aug 6 2011 example-metadata.xml -rw-r--r-- 1 root root 10140 Aug 6 2011 example-metadata.xml.dist -rw-r--r-- 1 root root 14092 Aug 6 2011 example-shibboleth2.xml -rw-r--r-- 1 root root 14092 Aug 6 2011 example-shibboleth2.xml.dist -rw-r--r-- 1 root root 832 Aug 6 2011 globalLogout.html -rw-r--r-- 1 root root 832 Aug 6 2011 globalLogout.html.dist -rwxr-xr-x 1 root root 2040 Aug 6 2011 keygen.sh -rw-r--r-- 1 root root 627 Aug 6 2011 localLogout.html -rw-r--r-- 1 root root 627 Aug 6 2011 localLogout.html.dist -rw-r--r-- 1 root root 1102 Aug 6 2011 metadataError.html -rw-r--r-- 1 root root 1102 Aug 6 2011 metadataError.html.dist -rwxr-xr-x 1 root root 7752 Aug 6 2011 metagen.sh -rw-r--r-- 1 root root 1710 Aug 6 2011 native.logger -rw-r--r-- 1 root root 1710 Aug 6 2011 native.logger.dist -rw-r--r-- 1 root root 643 Aug 6 2011 partialLogout.html -rw-r--r-- 1 root root 643 Aug 6 2011 partialLogout.html.dist -rw-r--r-- 1 root root 1309 Aug 6 2011 postTemplate.html -rw-r--r-- 1 root root 1309 Aug 6 2011 postTemplate.html.dist -rw-r--r-- 1 root root 2318 Aug 6 2011 protocols.xml -rw-r--r-- 1 root root 2318 Aug 6 2011 protocols.xml.dist -rw-r--r-- 1 root root 1347 Aug 6 2011 security-policy.xml -rw-r--r-- 1 root root 1347 Aug 6 2011 security-policy.xml.dist -rw-r--r-- 1 root root 1218 Aug 6 2011 sessionError.html -rw-r--r-- 1 root root 1218 Aug 6 2011 sessionError.html.dist -rw-r--r-- 1 root root 5865 Aug 6 2011 shibboleth2.xml -rw-r--r-- 1 root root 5865 Aug 6 2011 shibboleth2.xml.dist -rw-r--r-- 1 root root 2371 Aug 6 2011 shibd-debian -rw-r--r-- 1 root root 2682 Aug 6 2011 shibd.logger -rw-r--r-- 1 root root 2682 Aug 6 2011 shibd.logger.dist -rw-r--r-- 1 root root 673 Aug 6 2011 shibd-osx.plist -rw-r--r-- 1 root root 1626 Aug 6 2011 shibd-redhat -rw-r--r-- 1 root root 3349 Aug 6 2011 shibd-suse -rw-r--r-- 1 root root 1131 Jun 1 09:10 sp-cert.pem -rw------- 1 root root 1704 Jun 1 09:10 sp-key.pem -rw-r--r-- 1 root root 860 Aug 6 2011 sslError.html -rw-r--r-- 1 root root 860 Aug 6 2011 sslError.html.dist -rw-r--r-- 1 root root 1252 Aug 6 2011 syslog.logger -rw-r--r-- 1 root root 1252 Aug 6 2011 syslog.logger.dist -rw-r--r-- 1 root root 23671 Aug 6 2011 upgrade.xsl
1. Generate a self-signed x509certificate that the Shibboleth SP will use to sign protocol messages
[root@bsp-test userx]# openssl req -x509 -nodes -days 3660 -newkey rsa:2048 -keyout userx.key -out userx.pem Generating a 2048 bit RSA private key .........................................................+++ ......................................................................................................................................+++ writing new private key to 'khazelton1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Wisconsin Locality Name (eg, city) []:Madison Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organization Y Organizational Unit Name (eg, section) []:Security Common Name (eg, YOUR name) []:User X Email Address []:userx@gmail.com
2. Check the certificate contents
[root@bsp-test userx]# openssl x509 -text -in /etc/shibboleth/sp-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 8d:15:6f:fa:83:f5:2c:83 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=bsp-test.projectbamboo.org Validity Not Before: Jun 1 13:10:37 2012 GMT Not After : May 30 13:10:37 2022 GMT Subject: CN=bsp-test.projectbamboo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:64:78:cc:f9:f1:6e:bc:51:56:f9:c2:bd:95: fc:90:8c:f8:df:9e:f2:f2:c1:7e:2f:59:ef:23:7c: ce:86:5e:83:d8:4d:8e:af:bd:3f:13:ab:fc:a3:14: 0d:69:b2:98:66:1d:f8:09:e6:c6:f8:25:a5:e0:1c: 17:21:c2:5f:ce:97:c9:e9:20:22:9d:bd:4d:87:0c: 3c:a4:16:71:c9:cf:43:fd:b4:1d:ed:ad:94:1d:d7: b4:68:ac:df:d1:0d:24:d0:bd:34:a8:c1:c1:be:71: 3a:3f:e2:01:8a:a5:ed:4d:b8:32:c7:d5:7b:2a:1c: b7:4d:a2:26:50:6e:b5:8b:4b:c8:47:1a:b1:99:fa: bf:70:82:83:03:3d:a6:71:43:f5:c0:63:9e:25:44: 0e:f2:cf:0a:87:df:f4:65:7e:26:8e:0e:29:33:56: 0f:86:36:10:b0:f2:7f:ea:3e:bb:09:c3:20:a2:56: c7:12:d5:4e:b4:73:32:b5:a3:39:91:5a:68:5c:33: 2a:da:4b:d3:96:2a:29:6c:d2:31:99:32:43:b8:17: 06:21:ab:f6:e2:da:2a:d9:23:f6:65:11:73:55:b1: 2e:1a:3d:8c:33:2f:10:15:dd:0b:5e:22:1c:97:a7: 7c:f6:4e:1d:df:2e:2b:95:04:37:63:08:5b:24:e2: c0:b1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:bsp-test.projectbamboo.org X509v3 Subject Key Identifier: 11:7F:A2:BD:D7:00:1B:DA:19:18:A6:7F:E3:92:27:63:E7:81:88:C7 Signature Algorithm: sha1WithRSAEncryption 0b:13:d9:31:3c:b7:86:87:48:6a:21:70:88:a5:74:7b:41:e7:19:e8:95:07:47:0d:ab:25:c6:ce:79:cb:45:4b:a6:46:c2:62:be:be:1b:bb:f1:45:5a:b7:b2:07:b4:3e:6c:9d:28:c8:35:7f:71:af:2a:4f:4d:dd:ef:b4:07:b2:e3:4c:b9:a2:47:e4:86:15:34:20:39:8b:0a:f7:1f:a4:e3:fa:4f:da:1a:7f:71:75:62:17:92:ae:7d:dc:3f:bf:cb:27:e3:89:bf:a3:e8:9e:ce:35:4c:6c:9e:30:5b:ec:31:68:c3:57:48:81:9a:bf:53:f0:5d:d6:59:72:b8:8a:80:2a:79:be:66:2e:03:c9:c3:ca:b1:8e:7a:72:1d:7c:89:e6:91:34:f6:91:48:6f:62:2b:24:f7:1b:b3:8c:3b:fc:32:c8:3c:66:78:b3:3e:28:11:f6:f1:ff:98:9a:cf:da:1e:8c:5a:77:59:00:fe:36:f4:4f:86:d1:df:9c:96:5a:50:04:59:70:f9:f9:62:9a:23:e8:2c:77:ba:96:7c:df:39:94:84:df:ab:b2:a8:fb:47:51:67:05:1a:da:93:63:04:6d:67:b5:e1:41:0b:18:2f:44:9f:2a:80:e1:9b:5a:16:84:d8:b1:17:52:b5:49:cd:1f:38:35:35:90:fb -----BEGIN CERTIFICATE----- MIIDFTCCAf2gAwIBAgIJAI0Vb/qD9SyDMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNVBAMTGmJzcC10ZXN0LnByb2plY3RiYW1ib28ub3JnMB4XDTEyMDYwMTEzMTAzN1oXDTIyMDUzMDEzMTAzN1owJTEjMCEGA1UEAxMaYnNwLXRlc3QucHJvamVjdGJhbWJv b5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIZHjM+fFuvFFW +cK9lfyQjPjfnvLywX4vWe8jfM6GXoPYTY6vvT8Tq/yjFA1psphmHfgJ5sb4JaXg HBchwl/Ol8npICKdvU2HDDykFnHJz0P9tB3trZQd17RorN/RDSTQvTSowcG+cTo/ 4gGKpe1NuDLH1XsqHLdNoiZQbrWLS8hHGrGZ+r9wgoMDPaZxQ/XAY54lRA7yzwqH 3/RlfiaODikzVg+GNhCw8n/qPrsJwyCiVscS1U60czK1ozmRWmhcMyraS9OWKils 0jGZMkO4FwYhq/bi2irZI/ZlEXNVsS4aPYwzLxAV3QteIhyXp3z2Th3fLiuVBDdj CFsk4sCxAgMBAAGjSDBGMCUGA1UdEQQeMByCGmJzcC10ZXN0LnByb2plY3RiYW1i b28ub3JnMB0GA1UdDgQWBBQRf6K91wAb2hkYpn/jkidj54GIxzANBgkqhkiG9w0B AQUFAAOCAQEACxPZMTy3hodIaiFwiKV0e0HnGeiVB0cNqyXGznnLRUumRsJivr4b u/FFWreyB7Q+bJ0oyDV/ca8qT03d77QHsuNMuaJH5IYVNCA5iwr3H6Tj+k/aGn9x dWIXkq593D+/yyfjib+j6J7ONUxsnjBb7DFow1dIgZq/U/Bd1llyuIqAKnm+Zi4D ycPKsY56ch18ieaRNPaRSG9iKyT3G7OMO/wyyDxmeLM+KBH28f+Yms/aHoxad1kA /jb0T4bR35yWWlAEWXD5+WKaI+gsd7qWfN85lITfq7Ko+0dRZwUa2pNjBG1nteFB CxgvRJ8qgOGbWhaE2LEXUrVJzR84NTWQ+w== -----END CERTIFICATE-----
3. The primary configuration of shibboleth is in shibboleth2.xml
Start with example.shibboleth2.xml and make following edits (substituting appropriate filenames, hostname, URLs, etc.):
<Host name="sp.example.org"> …changed to… <Host name="bsp-test.projectbamboo.org">
<ApplicationDefaults entityID=https://sp.example.org/shibboleth> …changed to… <ApplicationDefaults entityID="https://bsp-test.projectbamboo.org/shibboleth-sp">
<entityID="https://idp.example.org/shibboleth"> …changed to… <entityID="https://idp.foo.edu/idp/shibboleth">
<Errors supportContact="root@localhost"> …changed to… <Errors supportContact="userx@gmail.com">
<MetadataProvider type="XML" uri=http://federation.org/federation-metadata.xml> …changed to… <MetadataProvider type="XML" uri="http://metazome.info/metadata/ProjectBambooSaml2Metadata.xml">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> …changed to… <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> --> <!-- <MetadataFilter type="Signature" certificate="fedsigner.pem"/> -->
1. Add support for PHP so test routines can be run
yum install php
2. Edit /etc/httpd/conf/httpd.conf to add support for PHP
Add lines in three places:
(a) In the LoadModules section:
LoadModule php5_module modules/libphp5.so AddHandler php5-script .php
(b) In the DirectoryIndex section:
DirectoryIndex index.html index.php index.html.var
(c) In the AddType section:
AddType text/html .php # PHP Syntax Coloring # (optional but useful for reading PHP source for debugging):
3. Add an index.php to a directory under Apache Web Server's DocumentRoot
Assumption: the directory secure is created under Apache Web Server's DocumentRoot, and is reachable over https. A file index.php is to be written to that directory.
The contents of index.php should be something like the following (with URL changes as appropriate):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>bsp-test.projectbamboo.org</title> // Install-time version </head> <body> <p>Host bsp-test.projectbamboo.org on <?php echo date("Y/m/d") . "<br />"; ?> </p> <?php phpinfo(); ?> </body> </html>
Note the invocation of phpinfo().
4. Browse to the location of index.php
E.g.,
https://bsp-test.projectbamboo.org/secure
The browser is redirected to testshib IdP and after the user autheticates, phpinfo displays Apache environment variables showing successful population of shib-* attributes:
Apache Environmentariable Value Shib-Application-ID default Shib-Session-ID _6204693b1baadd4d44c923bc0328ce51 Shib-Identity-Provider https://logintest.wisc.edu/idp/shibboleth Shib-Authentication-Instant 2012-06-01T17:26:19.966Z Shib-Authentication-Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-AuthnContext-Class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib-Session-Index c1de003c14a3d2082aea4964abf434d751326b31b420bfe12a8bf87421abcbe8 persistent-id https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk=;https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk= HTTPS on SSL_TLS_SNI bsp-test.projectbamboo.org SSL_SERVER_S_DN_O *.projectbamboo.org SSL_SERVER_S_DN_OU Domain Control Validated SSL_SERVER_S_DN_CN *.projectbamboo.org SSL_SERVER_I_DN_C US SSL_SERVER_I_DN_ST Arizona SSL_SERVER_I_DN_L Scottsdale SSL_SERVER_I_DN_O GoDaddy.com, Inc. SSL_SERVER_I_DN_OU http://certificates.godaddy.com/repository SSL_SERVER_I_DN_CN Go Daddy Secure Certification Authority SSL_VERSION_INTERFACE mod_ssl/2.2.22 SSL_VERSION_LIBRARY OpenSSL/1.0.0g-fips SSL_PROTOCOL TLSv1 SSL_SECURE_RENEG true SSL_COMPRESS_METHOD DEFLATE SSL_CIPHER DHE-RSA-CAMELLIA256-SHA SSL_CIPHER_EXPORT false SSL_CIPHER_USEKEYSIZE 256 SSL_CIPHER_ALGKEYSIZE 256 SSL_CLIENT_VERIFY NONE SSL_SERVER_M_VERSION 3 SSL_SERVER_M_SERIAL 0437AC49ECE525 SSL_SERVER_V_START Mar 7 00:34:44 2012 GMT SSL_SERVER_V_END Apr 19 01:06:11 2013 GMT SSL_SERVER_S_DN /O=*.projectbamboo.org/OU=Domain Control Validated/CN=*.projectbamboo.org SSL_SERVER_I_DN /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 SSL_SERVER_A_KEY rsaEncryption SSL_SERVER_A_SIG sha1WithRSAEncryption SSL_SESSION_ID 3CB6C7DCE97863877E9FBEE237746AE8F9FF1ABB4F466679A4D7F2548C524320 HTTP_HOST bsp-test.projectbamboo.org HTTP_CONNECTION keep-alive HTTP_CACHE_CONTROL max-age=0 HTTP_USER_AGENT Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.21 Safari/536.11 HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_REFERER https://logintest.wisc.edu/idp/profile/SAML2/Redirect/SSO HTTP_ACCEPT_ENCODING gzip,deflate,sdch HTTP_ACCEPT_LANGUAGE en-US,en;q=0.8 HTTP_ACCEPT_CHARSET UTF-8,*;q=0.5 HTTP_COOKIE _shibsession_64656661756c7468747470733a2f2f6273702d746573742e70726f6a65637462616d626f6f2e6f72672f73686962626f6c6574682d7370=_6204693b1baadd4d44c923bc0328ce51 PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SERVER_SIGNATURE <address>Apache/2.2.22 (Fedora) Server at bsp-test.projectbamboo.org Port 443</address> SERVER_SOFTWARE Apache/2.2.22 (Fedora) SERVER_NAME bsp-test.projectbamboo.org SERVER_ADDR 74.207.248.136 SERVER_PORT 443 REMOTE_ADDR 128.104.17.180 DOCUMENT_ROOT /var/www/html SERVER_ADMIN root@localhost SCRIPT_FILENAME /var/www/html/secure/index.php REMOTE_PORT 50658 REMOTE_USER https://logintest.wisc.edu/idp/shibboleth!https://bsp-test.projectbamboo.org/shibboleth-sp!MOowG6LgaWBB8ezMJzgOVBxGykk= AUTH_TYPE shibboleth GATEWAY_INTERFACE CGI/1.1 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD GET QUERY_STRING no value REQUEST_URI /secure/ SCRIPT_NAME /secure/index.php