Re: [dspace-tech] Shibboleth Setup Trouble

2018-02-23 Thread Tim Donohue
Hi Glenn,

Not sure I have a solution, but based on the DSpace documentation,
configuring Shibboleth for DSpace requires using Apache (with mod_shib) in
front of Tomcat:
https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

Do you have Apache fully working with Tomcat (without Shibboleth)?  It
sounds like parts of your application are still using port 8080 (which is
obviously going to Tomcat, directly, and bypassing Apache) instead of port
80. The first step here seems to be to get DSpace fully running on port
80.  We have some notes on doing that in the DSpace installation docs at:
https://wiki.duraspace.org/display/DSDOC6x/Installing+DSpace#InstallingDSpace-UsingSSLonApacheHTTPDinfrontofTomcat(runningonports80and443)

The other thing to check is your [dspace]/config/dspace.cfg configuration
file.  Specifically, you want to be sure that the "baseURL" in that
configuration does NOT include a port number (i.e. it should use port 80).
By default, that baseURL uses port 8080 (which would tell DSpace to
generate URLs back to itself using port 8080), e.g.

dspace.baseUrl = http://localhost:8080

So, per your examples,  I'd expect your baseURL should be simply "
http://rc.library.ourschool.edu;.

Here's where that configuration is in your dspace.cfg file:
https://github.com/DSpace/DSpace/blob/master/dspace/config/dspace.cfg#L29

Hopefully that helps some! If you figure it out, let us know...or report
back on this list if you have further questions.

Tim

On Thu, Feb 22, 2018 at 4:58 PM  wrote:

> I'm trying to get Shibboleth to work with a new DSpace 6 installation on
> Centos 7 running Apache 2.4.  I have both password and Shibboleth
> authentication enabled.  This gives me the opportunity to hover over the
> Shibboleth login link.  The link shows this URL:
>
>
> https://rc.library.ourschool.edu/Shibboleth.sso/Login?target=https%3A%2F%2Frc.library.ourschool.edu%3A8080%2F%2Futa-ir%2Fshibboleth-login
>
> or, with all the placeholders exchanged:
>
>
> https://rc.library.ourschool.edu/Shibboleth.sso/Login?target=https://rc.library.ourschool.edu:8080//ourschool-ir/shibboleth-login
>
> When I click the link, our standard Shibboleth login box appears.  I enter
> credentials and then I get the error message:
>
> "*No peer endpoint available to which to send SAML response*"
>
> The fellow who maintains the Identity Provider says it logs the
> AssertionConsumerServiceURL as:
>
> *https://rc.library.ourschool.edu:8080/Shibboleth.sso/SAML2/POST*
> 
>
> Putting two and two together, it seems the IdP can't contact the SP
> because it's trying to hit port 8080.  Since I have Apache doing reverse
> proxy, the IdP needs to hit the base URL, but I can't find a way to change
> it.  Here are the relevant lines from the Apache main config:
>
> # Send requests for / to /ourschool-ir
> RedirectMatch ^/$ /ourschool-ir
> # Redirect http to https
> Redirect permanent /ourschool-ir
> https://rc.library.ourschool.edu/ourschool-ir
>
>
> And from the Apache virtual server config:
>
> 
># Configure Shibboleth for "lazy" authentication
> AuthType shibboleth
> ShibUseHeaders on
> Require shibboleth
> 
> 
> # Suggested by DSpace docs
>  ProxyPass !
>  SetHandler shib
> 
> ProxyPass /ourschool-ir
> http://rc.library.ourschool.edu:8080/ourschool-ir
> ProxyPassReverse /ourschool-ir
> http://rc.library.ourschool.edu:8080/ourschool-ir
> 
>
>
> Any clues greatly appreciated.
>
> Glenn
>
> --
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To post to this group, send email to dspace-tech@googlegroups.com.
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.


[dspace-tech] Shibboleth Setup Trouble

2018-02-22 Thread librarysystems . test
I'm trying to get Shibboleth to work with a new DSpace 6 installation on 
Centos 7 running Apache 2.4.  I have both password and Shibboleth 
authentication enabled.  This gives me the opportunity to hover over the 
Shibboleth login link.  The link shows this URL:

https://rc.library.ourschool.edu/Shibboleth.sso/Login?target=https%3A%2F%2Frc.library.ourschool.edu%3A8080%2F%2Futa-ir%2Fshibboleth-login

or, with all the placeholders exchanged:

https://rc.library.ourschool.edu/Shibboleth.sso/Login?target=https://rc.library.ourschool.edu:8080//ourschool-ir/shibboleth-login

When I click the link, our standard Shibboleth login box appears.  I enter 
credentials and then I get the error message:

"*No peer endpoint available to which to send SAML response*" 

The fellow who maintains the Identity Provider says it logs the 
AssertionConsumerServiceURL as:

*https://rc.library.ourschool.edu:8080/Shibboleth.sso/SAML2/POST* 


Putting two and two together, it seems the IdP can't contact the SP because 
it's trying to hit port 8080.  Since I have Apache doing reverse proxy, the 
IdP needs to hit the base URL, but I can't find a way to change it.  Here 
are the relevant lines from the Apache main config:

# Send requests for / to /ourschool-ir
RedirectMatch ^/$ /ourschool-ir
# Redirect http to https
Redirect permanent /ourschool-ir 
https://rc.library.ourschool.edu/ourschool-ir


And from the Apache virtual server config:


   # Configure Shibboleth for "lazy" authentication
AuthType shibboleth
ShibUseHeaders on
Require shibboleth


# Suggested by DSpace docs
 ProxyPass !
 SetHandler shib

ProxyPass /ourschool-ir 
http://rc.library.ourschool.edu:8080/ourschool-ir
ProxyPassReverse /ourschool-ir 
http://rc.library.ourschool.edu:8080/ourschool-ir



Any clues greatly appreciated.

Glenn

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.