Hi, thanks for sharing configs. However, it does not work. I have done everything almost like you, assingning groups does not work. I have to set ShibUseHeaders On to have this feature worked. But then I can not logout - yes, it is not a tragedy, the tragedy is that I can not login as I have already described.
Here is my Apache config: <Location /> AuthType shibboleth ShibRequireSession Off Require shibboleth </Location> JkMount /* tomcat JkUnMount /Shibboleth.sso/* tomcat JkUnMount /shibboleth tomcat JkUnMount /shibboleth-sp/* tomcat <Location /shibboleth-login> AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid-user </Location> Can anyone else help? I suppose it could be a small bug, I would like to do more testing and debugging, but it takes a lot of time, so if anyone can help I would appreciate it. Thanks. Vlastik ---------------------------------------------------------------------------- Vlastimil Krejčíř Library and Information Centre, Institute of Computer Science Masaryk University in Brno, Czech Republic Email: krejcir (at) ics (dot) muni (dot) cz Phone: +420 549 49 3872 ICQ: 163963217 Jabber: kre...@jabber.org ---------------------------------------------------------------------------- On Tue, 19 Oct 2010, Pottinger, Hardy J. wrote: > Hi, we actually like the functionality of the Shibboleth "lazy session" it > makes the site feel friendlier. Our university has not yet implemented any > sort of logout cookie for Shibboleth, and don't plan to until it's supported > (that's what the sysadmins tell me). However, our setup is a bit different > from yours, here are the pertinent snippets from our various configs: > > <!-- snip from /etc/tomcat5/server.xml tomcat server config --> > <Connector port="8009" > enableLookups="false" redirectPort="8080" protocol="AJP/1.3" > address="127.0.0.1" tomcatAuthentication="false" > connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/> > > > <!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment --> > <Context debug="0" > docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true" > autoDeploy="true"> > </Context> > > > ### snips from our_production_vhost.conf > > # turn on Shibboleth "Lazy Session" > <Location /> > AuthType shibboleth > ShibRequireSession Off > require shibboleth > </Location> > > # reverse proxy for xmlui > <Location "/xmlui"> > ProxyPass ajp://127.0.0.1:8009/xmlui > ProxyPassReverse ajp://127.0.0.1:8009/xmlui > SetEnv force-proxy-request-1.0 1 > SetEnv proxy-nokeepalive 1 > </Location> > > # start Shibboleth login at this location > <Location "/xmlui/shibboleth-login" > > AuthType shibboleth > ShibRequireSession On > ShibUseHeaders On > require valid-user > </Location> > > For your setup, I think if you moved that "ShibUseHeaders On" down from the > lazy session stanza to your shibboleth-login stanza, you'd end up with what > you wanted. If memory serves, that's the magic "give me my headers, now, > please" command. > > Hope that helps! > > --Hardy > >> -----Original Message----- >> From: Vlastimil Krejcir [mailto:krej...@ics.muni.cz] >> Sent: Tuesday, October 19, 2010 9:15 AM >> To: DSpace-tech@lists.sourceforge.net >> Subject: [Dspace-tech] Shibboleth - user groups >> >> >> Hi all, >> >> I have set up Shibboleth authentication in DSpace and assingning groups >> according to the "affiliation" (authentication.shib.role-header) does >> not >> work. >> >> I have found that getSpecialGroups() from >> /org/dspace/authenticate/ShibAuthentication.java gets no shibboleth >> headers. I guess that the trouble lies in Apache config. At first I have >> tried mod_proxy, then mod_jk and the result is still the same. To get >> getSpecialGroups() works properly (to sent shib headers) I have to >> change >> Apache config slightly to use lazy session for the root (where I have my >> DSpace installation): >> >> <Location /shibboleth-login> >> AuthType shibboleth >> ShibRequireSession On >> Require valid-user >> ShibUseHeaders On >> </Location> >> >> <Location /> >> AuthType shibboleth >> ShibRequireSession Off >> ShibUseHeaders on >> Require shibboleth >> </Location> >> >> >> So this is lazy session configuration. Using this, groups assigning >> works. >> But I can't logout - means trying to reach /mydspace cause I'm logged in >> via Shibboleth without asking what kind of authetication I want. If I >> was >> logged in before, my last session is used, if I wasn't there is >> something I name "empty user". It seems, DSpace tests "shibboleth" >> header >> and then assumes somebody is logged in. >> >> Removing lazy session config (for the root /) causes Shibboleth works >> fine >> except for assigning groups. >> >> Has anyone experienced the same troubles? Can you share your Apache >> config? >> >> I have version 1.6.2, also last SP (2.3.1 I think). I have also set up >> webui.session.invalidate = false. >> >> Thanks. >> >> Vlastik >> >> ------------------------------------------------------------------------ >> ---- >> Vlastimil Krejčíř >> Library and Information Centre, Institute of Computer Science >> Masaryk University in Brno, Czech Republic >> Email: krejcir (at) ics (dot) muni (dot) cz >> Phone: +420 549 49 3872 >> ICQ: 163963217 >> Jabber: kre...@jabber.org >> ------------------------------------------------------------------------ >> ---- >> >> ------------------------------------------------------------------------ >> ------ >> Download new Adobe(R) Flash(R) Builder(TM) 4 >> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly >> Flex(R) Builder(TM)) enable the development of rich applications that >> run >> across multiple browsers and platforms. Download your free trials today! >> http://p.sf.net/sfu/adobe-dev2dev >> _______________________________________________ >> DSpace-tech mailing list >> DSpace-tech@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/dspace-tech > > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech > ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech