Hi,
thanks for sharing configs. However, it does not work. I have done
everything almost like you, assingning groups does not work. I have to set
ShibUseHeaders On to have this feature worked. But then I can not logout -
yes, it is not a tragedy, the tragedy is that I can not login as I have
already described.
Here is my Apache config:
<Location />
AuthType shibboleth
ShibRequireSession Off
Require shibboleth
</Location>
JkMount /* tomcat
JkUnMount /Shibboleth.sso/* tomcat
JkUnMount /shibboleth tomcat
JkUnMount /shibboleth-sp/* tomcat
<Location /shibboleth-login>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
Can anyone else help? I suppose it could be a small bug, I would like to
do more testing and debugging, but it takes a lot of time, so if anyone
can help I would appreciate it.
Thanks.
Vlastik
----------------------------------------------------------------------------
Vlastimil Krejčíř
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
Jabber: kre...@jabber.org
----------------------------------------------------------------------------
On Tue, 19 Oct 2010, Pottinger, Hardy J. wrote:
> Hi, we actually like the functionality of the Shibboleth "lazy session" it
> makes the site feel friendlier. Our university has not yet implemented any
> sort of logout cookie for Shibboleth, and don't plan to until it's supported
> (that's what the sysadmins tell me). However, our setup is a bit different
> from yours, here are the pertinent snippets from our various configs:
>
> <!-- snip from /etc/tomcat5/server.xml tomcat server config -->
> <Connector port="8009"
> enableLookups="false" redirectPort="8080" protocol="AJP/1.3"
> address="127.0.0.1" tomcatAuthentication="false"
> connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
>
>
> <!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment -->
> <Context debug="0"
> docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true"
> autoDeploy="true">
> </Context>
>
>
> ### snips from our_production_vhost.conf
>
> # turn on Shibboleth "Lazy Session"
> <Location />
> AuthType shibboleth
> ShibRequireSession Off
> require shibboleth
> </Location>
>
> # reverse proxy for xmlui
> <Location "/xmlui">
> ProxyPass ajp://127.0.0.1:8009/xmlui
> ProxyPassReverse ajp://127.0.0.1:8009/xmlui
> SetEnv force-proxy-request-1.0 1
> SetEnv proxy-nokeepalive 1
> </Location>
>
> # start Shibboleth login at this location
> <Location "/xmlui/shibboleth-login" >
> AuthType shibboleth
> ShibRequireSession On
> ShibUseHeaders On
> require valid-user
> </Location>
>
> For your setup, I think if you moved that "ShibUseHeaders On" down from the
> lazy session stanza to your shibboleth-login stanza, you'd end up with what
> you wanted. If memory serves, that's the magic "give me my headers, now,
> please" command.
>
> Hope that helps!
>
> --Hardy
>
>> -----Original Message-----
>> From: Vlastimil Krejcir [mailto:krej...@ics.muni.cz]
>> Sent: Tuesday, October 19, 2010 9:15 AM
>> To: DSpace-tech@lists.sourceforge.net
>> Subject: [Dspace-tech] Shibboleth - user groups
>>
>>
>> Hi all,
>>
>> I have set up Shibboleth authentication in DSpace and assingning groups
>> according to the "affiliation" (authentication.shib.role-header) does
>> not
>> work.
>>
>> I have found that getSpecialGroups() from
>> /org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
>> headers. I guess that the trouble lies in Apache config. At first I have
>> tried mod_proxy, then mod_jk and the result is still the same. To get
>> getSpecialGroups() works properly (to sent shib headers) I have to
>> change
>> Apache config slightly to use lazy session for the root (where I have my
>> DSpace installation):
>>
>> <Location /shibboleth-login>
>> AuthType shibboleth
>> ShibRequireSession On
>> Require valid-user
>> ShibUseHeaders On
>> </Location>
>>
>> <Location />
>> AuthType shibboleth
>> ShibRequireSession Off
>> ShibUseHeaders on
>> Require shibboleth
>> </Location>
>>
>>
>> So this is lazy session configuration. Using this, groups assigning
>> works.
>> But I can't logout - means trying to reach /mydspace cause I'm logged in
>> via Shibboleth without asking what kind of authetication I want. If I
>> was
>> logged in before, my last session is used, if I wasn't there is
>> something I name "empty user". It seems, DSpace tests "shibboleth"
>> header
>> and then assumes somebody is logged in.
>>
>> Removing lazy session config (for the root /) causes Shibboleth works
>> fine
>> except for assigning groups.
>>
>> Has anyone experienced the same troubles? Can you share your Apache
>> config?
>>
>> I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
>> webui.session.invalidate = false.
>>
>> Thanks.
>>
>> Vlastik
>>
>> ------------------------------------------------------------------------
>> ----
>> Vlastimil Krejčíř
>> Library and Information Centre, Institute of Computer Science
>> Masaryk University in Brno, Czech Republic
>> Email: krejcir (at) ics (dot) muni (dot) cz
>> Phone: +420 549 49 3872
>> ICQ: 163963217
>> Jabber: kre...@jabber.org
>> ------------------------------------------------------------------------
>> ----
>>
>> ------------------------------------------------------------------------
>> ------
>> Download new Adobe(R) Flash(R) Builder(TM) 4
>> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
>> Flex(R) Builder(TM)) enable the development of rich applications that
>> run
>> across multiple browsers and platforms. Download your free trials today!
>> http://p.sf.net/sfu/adobe-dev2dev
>> _______________________________________________
>> DSpace-tech mailing list
>> DSpace-tech@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
