Hi Julie, I'm glad I could help and that you have Shibboleth up and running now.
There is also an (undocumented) property called "default-roles" in which you can define a set of fallback roles in case no applicable roles were found for a user. So if you want to assign each user that authenticates through Shibboleth to the ETDR_AUTO group, you can put this in the authentication-shibboleth.cfg file: default-roles = internal > role.internal = ETDR_AUTO Best regards, Tom [image: logo] Tom Desair 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 Esperantolaan 4, Heverlee 3001, Belgium www.atmire.com <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> 2017-02-27 20:33 GMT+01:00 J Bell <[email protected]>: > > For future: > > I did also figure out being able to add a default group to shibboleth by > using our domain name rather than affiliations - works great! > > > # The shibboleth header to do role-based mappings > role-header = email > > # Whether to ignore the attribute's scope or value. > role-header.ignore-scope = false > role-header.ignore-value = true > > # Default mappings of roles values to a comma separated list of DSpace > group > # names (Case Sensitive). > role.xxxx.edu = ETDR_AUTO > role.xxxx.edu = ETDR_AUTO > > > > > > On Tuesday, February 21, 2017 at 4:51:31 PM UTC-6, J Bell wrote: >> >> >> We are moving to Shibboleth and I am having a problem figuring out where >> my configuration is not set correctly to allow the actual authentication to >> occur. This is working in other instances we have running - only dSpace >> is not yet configured properly. Would anyone have some input as to where >> I have wandered into the weeds? >> >> Notes about our configuration: >> >> I have the IDP and my local *SP (shibboleth 2.5.2) * configured and >> talking as I would expect. >> >> We are using *mod_ajp* for the proxy (this did not work under regular >> proxy either - I have tried both ways). My *shibboleth2.xml* configuration >> looks like this: >> >> <ApplicationDefaults entityID="https://xxx.xxx.net/shibboleth"; >> id="default" policyId="default" >> REMOTE_USER="eppn persistent-id targeted-id" >> signing="false" encryption="false" >> attributePrefix="AJP_"> >> >> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" >> checkAddress="false" handlerSSL="false" >> cookieProps="https"> >> >> <SSO entityID="https://alpha.signin.xxx.edu/idp/shibboleth"; >> Location="/Login" >> discoveryProtocol="SAMLDS" discoveryURL=" >> https://ds.example.org/DS/WAYF";> >> SAML2 SAML1 >> </SSO> >> >> >> >> My *attribute-map.xml* has the following attributes mapped - which come >> back as expected: >> >> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> >> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="email"/> >> <Attribute name="urn:oid:2.5.4.3" id="cn"/> >> <Attribute name="urn:oid:2.5.4.4" id="sn"/> >> <Attribute name="urn:oid:2.5.4.42" id="givenName"/> >> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" >> id="displayName"/> >> >> >> >> */Shibboleth.sso/Session *returns this: >> >> >> Miscellaneous >> Session Expiration (barring inactivity): 476 minute(s) >> Client Address: xxx.xxx.xxx.xxx >> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol >> Identity Provider: https://alpha.signin.xxx.edu/idp/shibboleth >> Authentication Time: 2017-02-20T17:31:43.925Z >> Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac >> :classes:PasswordProtectedTransport >> Authentication Context Decl: (none) >> >> Attributes >> cn: jbell >> displayName: Julie Bell >> email: [email protected] >> givenName: Julie >> ksuPersonWildcatId: xxxxxxxx >> sn: Bell >> telephoneNumber: xxxxxxxxx >> uid: jbell >> >> >> After proper authentication the service is returned to: >> >> https://test-dspace.xxx.net//dspace/shibboleth-login >> >> and: >> Authentication Failed >> >> The* dspace log *responds with this: >> >> 2017-02-21 19:42:04,972 INFO org.dspace.app.xmlui.aspect.a >> rtifactbrowser.CommunityBrowser @ anonymous:session_id=DDFBE06E3 >> 003021B702DF0A1310B4816:ip_addr=xxx.xxx.xxx.xxx:view_community_list: >> 2017-02-21 19:42:04,973 INFO org.dspace.app.xmlui.aspect.d >> iscovery.SidebarFacetsTransformer @ facets for scope, null: 3 >> 2017-02-21 19:42:05,677 INFO org.dspace.app.xmlui.aspect.a >> rtifactbrowser.CommunityBrowser @ anonymous:session_id=DDFBE06E3 >> 003021B702DF0A1310B4816:ip_addr=xxx.xxx.xxx.xxx:view_community_list: >> 2017-02-21 19:42:05,678 INFO org.dspace.app.xmlui.aspect.d >> iscovery.SidebarFacetsTransformer @ facets for scope, null: 3 >> 2017-02-21 19:42:27,872 ERROR org.dspace.authenticate.ShibAuthentication >> @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat >> Remote user for which to indentify a user from. >> 2017-02-21 19:42:27,872 ERROR org.dspace.authenticate.ShibAuthentication >> @ Unable to register new eperson because we are unable to find an email >> address along with first and last name for the user. >> NetId Header: 'null'='null' (Optional) >> Email Header: 'email'='null' >> First Name Header: 'givenName'='null' >> Last Name Header: 'sn'='null' >> 2017-02-21 19:42:27,872 INFO org.dspace.app.xmlui.utils.AuthenticationUtil >> @ anonymous:session_id=01CF256229E776009AE83845CF4341A2:ip_ >> addr=xxx.xxx.xxx.xxx:failed_login:email=null, realm=null, result=4 >> 2017-02-21 19:42:28,444 INFO org.dspace.app.xmlui.aspect.a >> rtifactbrowser.CommunityBrowser @ anonymous:session_id=01CF25622 >> 9E776009AE83845CF4341A2:ip_addr=xxx.xxx.xxx.xxx:view_community_list: >> 2017-02-21 19:42:28,444 INFO org.dspace.app.xmlui.aspect.d >> iscovery.SidebarFacetsTransformer @ facets for scope, null: 3 >> >> The *shibboleth* log responds with: >> >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: New session (ID: >> _7aa0bd831d4bbfd9e852e1d24414b924) with (applicationId: default) for >> principal from (IdP: https://alpha.signin.xxx.edu/idp/shibboleth) at >> (ClientAddress: xxx.xxx.xxx.xxx) with (NameIdentifier: >> _19a0b33cc94439c79fc401cf9cc63200) using (Protocol: >> urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: >> _147bb17c58c8c230f513f12d154c3489) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: Cached the following >> attributes with session (ID: _7aa0bd831d4bbfd9e852e1d24414b924) for >> (applicationId: default) { >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: uid (1 values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: displayName (1 >> values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: sn (1 values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: givenName (1 >> values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: cn (1 values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: email (1 values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: telephoneNumber >> (1 values) >> 2017-02-21 22:37:17 INFO Shibboleth-TRANSACTION [2]: } >> >> >> >> *Apache 2.4.25 configuration* looks like: >> >> <ifModule mod_shib> >> UseCanonicalName On >> <Location /> >> AuthType Shibboleth >> ShibRequireSession Off >> Require shibboleth >> </Location> >> <Location "/shibboleth-login"> >> AuthType shibboleth >> ShibRequireSession On >> # Require shib-user ~ ^.+@(xxx|yyy)\.edu$ (was trying this >> out but it did not work either) >> Require valid-user >> </Location> >> <Location "/Shibboleth.sso"> >> Require all granted >> SetHandler shib >> </Location> >> </IfModule> >> >> this is also in the configuration file, just below this stanza: >> >> ProxyPass /Shibboleth.sso ! >> ProxyPass / "ajp://localhost:8009/" >> >> >> >> >> -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
