Thank you for the reply - but that did not solve the problem. I have the same response in all the logs as prior to the change.
I did try several variations on that theme but still have not hit the right combination yet. Further information that I missed last night: Running dSpace 5.4 # Whether to use lazy sessions or active sessions. lazysession = true Does this need to change? # The url to start a shibboleth session (only for lazy sessions) lazysession.loginurl = /Shibboleth.sso/Login # Force HTTPS when authenticating (only for lazy sessions) lazysession.secure = true and my question is this the correct netid-header for this configuration? #email-header = SHIB-MAIL netid-header = uid email-header = email email-use-tomcat-remote-user = false > On Feb 22, 2017, at 2:16 AM, Tom Desair <[email protected]> wrote: > > Hi Julie, > > The key here is the Apache configuration section > <Location "/shibboleth-login"> > AuthType shibboleth > ShibRequireSession On > Require valid-user > </Location> > > This tells the Apache Shibboleth daemon to require a Shibboleth session when > visiting "/shibboleth-login" and to provide all mapped attributes to the > Tomcat application server. For all other URL endpoints, Shibboleth will not > forward the attributes. > > However, your DSpace instance is not running under root but under "/dspace". > I conclude this from the fact that you receive a redirect to > "https://test-dspace.xxx.net//dspace/shibboleth-login > <https://test-dspace.xxx.net//dspace/shibboleth-login>". This means you have > to adjust the Apache configuration to secure that location instead. > > So your problem should be solved when you change "<Location > "/shibboleth-login">" to "<Location "/dspace/shibboleth-login">". Can you > please try that and let me know if that works? > > Best regards, > Tom > > Tom Desair > 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 > Esperantolaan 4, Heverlee 3001, Belgium > www.atmire.com > <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> > > 2017-02-21 23:51 GMT+01:00 J Bell <[email protected] > <mailto:[email protected]>>: > > We are moving to Shibboleth and I am having a problem figuring out where my > configuration is not set correctly to allow the actual authentication to > occur. This is working in other instances we have running - only dSpace is > not yet configured properly. Would anyone have some input as to where I > have wandered into the weeds? > > Notes about our configuration: > > I have the IDP and my local SP (shibboleth 2.5.2) configured and talking > as I would expect. > > We are using mod_ajp for the proxy (this did not work under regular proxy > either - I have tried both ways). My shibboleth2.xml configuration looks > like this: > > <ApplicationDefaults entityID="https://xxx.xxx.net/shibboleth > <https://xxx.xxx.net/shibboleth>" > id="default" policyId="default" > REMOTE_USER="eppn persistent-id targeted-id" > signing="false" encryption="false" > attributePrefix="AJP_"> > > <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" > checkAddress="false" handlerSSL="false" cookieProps="https"> > > <SSO entityID="https://alpha.signin.xxx.edu/idp/shibboleth > <https://alpha.signin.xxx.edu/idp/shibboleth>" Location="/Login" > discoveryProtocol="SAMLDS" > discoveryURL="https://ds.example.org/DS/WAYF > <https://ds.example.org/DS/WAYF>"> > SAML2 SAML1 > </SSO> > > > > My attribute-map.xml has the following attributes mapped - which come back > as expected: > > <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> > <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="email"/> > <Attribute name="urn:oid:2.5.4.3" id="cn"/> > <Attribute name="urn:oid:2.5.4.4" id="sn"/> > <Attribute name="urn:oid:2.5.4.42" id="givenName"/> > <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> > > > > /Shibboleth.sso/Session returns this: > > > Miscellaneous > Session Expiration (barring inactivity): 476 minute(s) > Client Address: xxx.xxx.xxx.xxx > SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Identity Provider: https://alpha.signin.xxx.edu/idp/shibboleth > <https://alpha.signin.xxx.edu/idp/shibboleth> > Authentication Time: 2017-02-20T17:31:43.925Z > Authentication Context Class: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Authentication Context Decl: (none) > > Attributes > cn: jbell > displayName: Julie Bell > email: [email protected] <mailto:[email protected]> > givenName: Julie > ksuPersonWildcatId: xxxxxxxx > sn: Bell > telephoneNumber: xxxxxxxxx > uid: jbell > > > After proper authentication the service is returned to: > > https://test-dspace.xxx.net//dspace/shibboleth-login > <https://test-dspace.xxx.net//dspace/shibboleth-login> > > and: > Authentication Failed > > > The dspace log responds with this: > > 2017-02-21 19:42:04,972 INFO > org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ > anonymous:session_id=DDFBE06E3003021B702DF0A1310B4816:ip_addr=xxx.xxx.xxx.xxx:view_community_list: > 2017-02-21 19:42:04,973 INFO > org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for > scope, null: 3 > 2017-02-21 19:42:05,677 INFO > org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ > anonymous:session_id=DDFBE06E3003021B702DF0A1310B4816:ip_addr=xxx.xxx.xxx.xxx:view_community_list: > 2017-02-21 19:42:05,678 INFO > org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for > scope, null: 3 > 2017-02-21 19:42:27,872 ERROR org.dspace.authenticate.ShibAuthentication @ > Shibboleth authentication was not able to find a NetId, Email, or Tomcat > Remote user for which to indentify a user from. > 2017-02-21 19:42:27,872 ERROR org.dspace.authenticate.ShibAuthentication @ > Unable to register new eperson because we are unable to find an email address > along with first and last name for the user. > NetId Header: 'null'='null' (Optional) > Email Header: 'email'='null' > First Name Header: 'givenName'='null' > Last Name Header: 'sn'='null' > 2017-02-21 19:42:27,872 INFO org.dspace.app.xmlui.utils.AuthenticationUtil @ > anonymous:session_id=01CF256229E776009AE83845CF4341A2:ip_addr=xxx.xxx.xxx.xxx:failed_login:email=null, > realm=null, result=4 > 2017-02-21 19:42:28,444 INFO > org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ > anonymous:session_id=01CF256229E776009AE83845CF4341A2:ip_addr=xxx.xxx.xxx.xxx:view_community_list: > 2017-02-21 19:42:28,444 INFO > org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for > scope, null: 3 > > The shibboleth log responds with: > > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: New session (ID: > _7aa0bd831d4bbfd9e852e1d24414b924) with (applicationId: default) for > principal from (IdP: https://alpha.signin.xxx.edu/idp/shibboleth > <https://alpha.signin.xxx.edu/idp/shibboleth>) at (ClientAddress: > xxx.xxx.xxx.xxx) with (NameIdentifier: _19a0b33cc94439c79fc401cf9cc63200) > using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: > _147bb17c58c8c230f513f12d154c3489) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: Cached the following > attributes with session (ID: _7aa0bd831d4bbfd9e852e1d24414b924) for > (applicationId: default) { > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: uid (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: displayName (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: sn (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: givenName (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: cn (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: email (1 values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: telephoneNumber (1 > values) > 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: } > > > > Apache 2.4.25 configuration looks like: > > <ifModule mod_shib> > UseCanonicalName On > <Location /> > AuthType Shibboleth > ShibRequireSession Off > Require shibboleth > </Location> > <Location "/shibboleth-login"> > AuthType shibboleth > ShibRequireSession On > # Require shib-user ~ ^.+@(xxx|yyy)\.edu$ (was trying this out > but it did not work either) > Require valid-user > </Location> > <Location "/Shibboleth.sso"> > Require all granted > SetHandler shib > </Location> > </IfModule> > > this is also in the configuration file, just below this stanza: > > ProxyPass /Shibboleth.sso ! > ProxyPass / "ajp://localhost:8009/" > > > > > > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/dspace-tech > <https://groups.google.com/group/dspace-tech>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
