Hi everyone,
I manage a Dspace server for a library, and it has been working great the past few years up until a few weeks ago when a reverse proxy server change broke the authentication (which is handled through Shibboleth). Requests to dspace first go to a reverse proxy server (managed by a different department) which then passes them to my Dspace server. This worked fine until recently when the reverse proxy server was set to redirect all traffic to HTTPS (previously both http and https were allowed). Now whenever I click the login link, I am properly redirected to my institutions login page, but after logging in I get this error message: > opensaml::BindingException > The system encountered an error at Fri Mar 8 11:19:28 2019 > To report this problem, please contact the site administrator at > [email protected]. > Please include the following message in any email: > opensaml::BindingException at ( > http://www.uleth.ca/lib/ematerials/Shibboleth.sso/SAML2/POST) > Invalid HTTP method (GET). In the Shibboleth settings, I tried setting the handlerSSL property to true thinking that I just needed to use SSL on my server to match the reverse proxy server, but that seems to break all of my Shibboleth.sso links (they give 404s) and cause an error from the IDP when trying to login. After talking with the department that manages the reverse proxy server, they indicated that their server terminates SSL on the request and passes it to my server as regular http. This makes me suspect that handlerSSL should stay off with this type of setup. Does anyone have any experience with Dspace, reverse proxy servers, HTTPS, and Shibboleth that might be able to shed some light on this one? I’m a bit uncertain as to where HTTPS should be used and where HTTP should be used. All of the configuration was done based on this page ( https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins) along with the Shibboleth documentation. Here are a few extra bits of information that I think are relevant: Reverse proxy server: https://www.uleth.ca/lib is the URL for the reverse proxy server, and the /ematerials part of the URL indicates that the request is intended for my Dspace server (so https://www.uleth.ca/lib/ematerials would be the Dspace landing page). *shibboleth2.xml: * <Sessions [...] handlerSSL="false" cookieProps="; path=/lib/ematerials; HttpOnly" handlerURL="/lib/ematerials/Shibboleth.sso"> *local.cfg: * authentication-shibboleth.lazysession = true authentication-shibboleth.lazysession.loginurl = https://www.uleth.ca/lib/ematerials/shibboleth-login authentication-shibboleth.lazysession.secure = true *Software versions: * Dspace 6.3 using xmlui, Shibboleth SP 3.0.2.0, Apache HTTPD 2.4.37, Apache Tomcat 9.0.12, Windows Server 2016 I can also provide HTTPD settings, Tomcat settings, additional lines from anything above, or logs if those would be pertinent. When I checked the logs, I didn’t find anything more useful-looking than the error that I copied above. Any help or guidance on this would be massively appreciated! Thanks! Bryson Duda Systems Support Specialist Information Systems - University of Lethbridge Library -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
