Ciprian, did you manage to sort this out? I'm running into the same situation. DSpace logs show:
2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute uid is empty! 2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty! 2021-10-01 12:01:34,276 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from. 2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute uid is empty! 2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty! 2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute nickname is empty! 2021-10-01 12:01:34,277 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty! 2021-10-01 12:01:34,283 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user. NetId Header: 'uid'='null' (Optional) Email Header: 'mail'='null' First Name Header: 'nickname'='null' Last Name Header: 'sn'='null' but /Shibboleth.sso/Session does indeed show that SHib auth was successful and that the attributes returned match my local.cfg values. Nothing else in the logs really stands out as an issue. It seems to me that DSpace isn't getting the Shib attributes. I've tried with ShibHeaders on and off; I have the AJP stuff setup correctly (I think). I'm curious if and how you managed to get this to work Thanks! *Darryl Friesen**, BSc* Programmer/Analyst *University of Saskatchewan**ICT / University Library* On Tuesday, August 4, 2020 at 9:55:33 AM UTC-6 Tim Donohue wrote: > Have you double checked in your Shibboleth setup that your "email-header" > is named "mail"? > > I still think this setting looks odd to me: > > authentication-shibboleth.email-header = mail > > It is completely possible that I'm wrong. But, almost every error message > (and info message) you've passed along references a "null" or "empty" value > for "mail" (or email). That implies to me that this setting may not be > correct for your Shibboleth setup. > > All that said, I have to admit here, I'm hitting up against the limits of > my Shibboleth knowledge. I'm *not* a Shibboleth expert, but can only > advise you on which configurations might not be working as expected. In > this scenario, it seems likely to me that your "email-header" setting is > incorrect...but, I don't know what it should be changed to (you may need to > talk to your Shibboleth administrator). > > I wish I had better advice, but maybe someone else on this list might have > an idea of what is going on. This doesn't seem like a DSpace 7 specific > issue to me, but more like a possible misconfiguration of the DSpace > Shibboleth settings. > > Tim > ------------------------------ > *From:* Ciprian Pinzaru <ciprian...@gmail.com> > *Sent:* Tuesday, August 4, 2020 10:38 AM > > *To:* Tim Donohue <tim.d...@lyrasis.org>; DSpace Technical Support < > dspac...@googlegroups.com> > *Subject:* Re: [dspace-tech] Dspace 7 shibboleth error > > I find an message like: > > > INFO org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ > anonymous::failed_login:email=null, result=4 > > > > 2020-08-04 18:12:57,053 INFO > org.springframework.security.web.DefaultSecurityFilterChain @ Creating > filter chain: Ant [pattern='/api/**'], > [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@43d7f719, > > org.springframework.security.web.context.SecurityContextPersistenceFilter@e5c20f0, > > org.springframework.security.web.header.HeaderWriterFilter@148a6d4b, > org.springframework.web.filter.CorsFilter@8eb6f8d, > org.dspace.app.rest.security.StatelessAuthenticationFilter@1bd3eb22, > org.dspace.app.rest.security.StatelessLoginFilter@44823e3, > org.dspace.app.rest.security.ShibbolethAuthenticationFilter@785b634c, > org.springframework.security.web.authentication.logout.LogoutFilter@1f754887, > org.dspace.app.rest.security.AnonymousAdditionalAuthorizationFilter@2b9feccd, > org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1ab55f03, > > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@60b02a97, > > org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2f918867, > > org.springframework.security.web.session.SessionManagementFilter@3fa4fdb9, > org.springframework.security.web.access.ExceptionTranslationFilter@5effff08, > org.springframework.security.web.access.intercept.FilterSecurityInterceptor@647f6f74] > > > > 2020-08-04 18:14:33,306 DEBUG > org.dspace.app.rest.security.ShibbolethAuthenticationFilter @ Request is to > process authentication > > > but not your message. > On 04/08/2020 18:17, Tim Donohue wrote: > > > Based on your configuration, you may want to look closely at the > dspace.log to see what the "INFO" messages say just before you hit errors. > You *might* see something like: > > "Unable to identify EPerson based upon Shibboleth email header: mail" > > If you see that message, then this setting is *incorrect* for your > Shibboleth installation: > > authentication-shibboleth.email-header = mail > > If that's the case, you'll need to see what the correct setting for this > "email-header" is for your Shibboleth, or possibly choose to switch to > using the "netid-header" setting instead (if that's easier to use based on > your Shibboleth setup). Every Shibboleth setup is slightly different, so > unfortunately I cannot tell you what the correct configuration is for your > setup. > > In general, you may want to read through the Shibboleth configuration > options listed here: > https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-DSpaceShibbolethConfigurationOptions > > Then, decide which should work best for your Shibboleth setup. > > Tim > ------------------------------ > *From:* Ciprian Pinzaru <ciprian...@gmail.com> > *Sent:* Tuesday, August 4, 2020 9:51 AM > *To:* Tim Donohue <tim.d...@lyrasis.org>; DSpace Technical Support > <dspac...@googlegroups.com> > *Subject:* Re: [dspace-tech] Dspace 7 shibboleth error > > > Dear Tim, > > > I have the configuration: > > > > > authentication-shibboleth.lazysession = true > > authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login > > authentication-shibboleth.lazysession.secure = true > > > > authentication-shibboleth.email-header = mail > authentication-shibboleth.email-use-tomcat-remote-user = false > > authentication-shibboleth.autoregister = true > > authentication-shibboleth.sword.compatibility = false > > > > authentication-shibboleth.firstname-header = givenName > authentication-shibboleth.lastname-header = sn > > > authentication-shibboleth.eperson.metadata.autocreate = true > > authentication-shibboleth.reconvert.attributes = false > > > default-roles = internal > role.internal = ETDR_AUTO > > authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION > > authentication-shibboleth.role-header.ignore-scope = true > > Ciprian > > > On 04/08/2020 17:47, Tim Donohue wrote: > > Just a guess, but have you filled out the settings in your > "authentication-shibboleth.cfg" file? > https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg > > DSpace needs to know which authentication header(s) are available in your > Shibboleth in order to authenticate. So, usually you'd need to tell DSpace > either the "netid-header", "email-header", or fallback to using Tomcat's > remove user. See this section: > > https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg#L49-L95 > > This is the same Shibboleth configuration that DSpace used in DSpace v6, > so you can also reference those docs for more info: > https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication > > Once DSpace 7 is getting closer to production-ready, we'll have a better > guide specific to DSpace 7 obviously. > > Tim > ------------------------------ > *From:* dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf > of Ciprian Pinzaru <ciprian...@gmail.com> > *Sent:* Tuesday, August 4, 2020 3:38 AM > *To:* DSpace Technical Support <dspac...@googlegroups.com> > *Subject:* [dspace-tech] Dspace 7 shibboleth error > > Dear community, > > > Please help me to fix the authentication error with shibboleth and Dspace > 7 beta 3 > > In the browser I have the message: > > Whitelabel Error Page > > This application has no explicit mapping for /error, so you are seeing > this as a fallback. > Tue Aug 04 11:09:27 EEST 2020 > There was an unexpected error (type=Unauthorized, status=401). > Login failed > > in the dspace logs: > > > 2020-08-04 11:17:39,880 DEBUG org.dspace.authenticate.ShibAuthentication @ > ShibAuthentication - attribute mail is empty! > > 2020-08-04 11:17:39,880 ERROR org.dspace.authenticate.ShibAuthentication @ > Shibboleth authentication was not able to find a NetId, Email, or Tomcat > Remote user for which to indentify a user from. > > 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ > ShibAuthentication - attribute mail is empty! > > 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ > ShibAuthentication - attribute givenName is empty! > > 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ > ShibAuthentication - attribute sn is empty! > > 2020-08-04 11:17:39,899 ERROR org.dspace.authenticate.ShibAuthentication @ > Unable to register new eperson because we are unable to find an email > address along with first and last name for the user. > > NetId Header: 'null'='null' (Optional) > > Email Header: 'mail'='null' > > First Name Header: 'givenName'='null' > > Last Name Header: 'sn'='null' > > > > > But in the shibboleth I have the email: > > > > 2020-08-04 11:09:26|Shibboleth-TRANSACTION.Login|*te...@example.com* > |_37a933a02565057512061ad02ccb9e0e| > https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45| > *mail*|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 > > (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0|zzzzz > > > > > > > The Apache configuration it is: > > > > UseCanonicalName On > > > > <Location /server/api/authn/shibboleth> > > Require all granted > > AuthType shibboleth > > ShibUseHeaders On > > ShibUseEnvironment On > > Require shibboleth > > > </Location> > > <Location /server/api/authn/login> > > Require all granted > > AuthType shibboleth > > ShibUseHeaders On > > ShibUseEnvironment On > > Require shibboleth > > > </Location> > > > <Proxy *> > > AddDefaultCharset Off > > Require all granted > > #Order deny,allow > > #Allow from all > > </Proxy> > > SSLProxyEngine on > > > ProxyIOBufferSize 65536 > > ProxyRequests off > > ProxyPreserveHost On > > ProxyPass /Shibboleth.sso ! > > > # A specific proxypass configuration for DSpace server (both server > and angular on the same machine) > > ProxyPass /server ajp://localhost:8009/server > > ProxyPassReverse /server ajp://localhost:8009/server > > > # A specific proxypass configuration for Angular > > ProxyPass / http://localhost:4000/ > > ProxyPassReverse / http://localhost:4000/ > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com > > <https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/b048b77f-b2b8-4cdc-978f-aeed2a889e93n%40googlegroups.com.
