Just a guess, but have you filled out the settings in your "authentication-shibboleth.cfg" file? https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg
DSpace needs to know which authentication header(s) are available in your Shibboleth in order to authenticate. So, usually you'd need to tell DSpace either the "netid-header", "email-header", or fallback to using Tomcat's remove user. See this section: https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg#L49-L95 This is the same Shibboleth configuration that DSpace used in DSpace v6, so you can also reference those docs for more info: https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication Once DSpace 7 is getting closer to production-ready, we'll have a better guide specific to DSpace 7 obviously. Tim ________________________________ From: [email protected] <[email protected]> on behalf of Ciprian Pinzaru <[email protected]> Sent: Tuesday, August 4, 2020 3:38 AM To: DSpace Technical Support <[email protected]> Subject: [dspace-tech] Dspace 7 shibboleth error Dear community, Please help me to fix the authentication error with shibboleth and Dspace 7 beta 3 In the browser I have the message: Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Tue Aug 04 11:09:27 EEST 2020 There was an unexpected error (type=Unauthorized, status=401). Login failed in the dspace logs: 2020-08-04 11:17:39,880 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty! 2020-08-04 11:17:39,880 ERROR org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from. 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty! 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute givenName is empty! 2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty! 2020-08-04 11:17:39,899 ERROR org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user. NetId Header: 'null'='null' (Optional) Email Header: 'mail'='null' First Name Header: 'givenName'='null' Last Name Header: 'sn'='null' But in the shibboleth I have the email: 2020-08-04 11:09:26|Shibboleth-TRANSACTION.Login|[email protected]|_37a933a02565057512061ad02ccb9e0e|https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45|mail|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0|zzzzz The Apache configuration it is: UseCanonicalName On <Location /server/api/authn/shibboleth> Require all granted AuthType shibboleth ShibUseHeaders On ShibUseEnvironment On Require shibboleth </Location> <Location /server/api/authn/login> Require all granted AuthType shibboleth ShibUseHeaders On ShibUseEnvironment On Require shibboleth </Location> <Proxy *> AddDefaultCharset Off Require all granted #Order deny,allow #Allow from all </Proxy> SSLProxyEngine on ProxyIOBufferSize 65536 ProxyRequests off ProxyPreserveHost On ProxyPass /Shibboleth.sso ! # A specific proxypass configuration for DSpace server (both server and angular on the same machine) ProxyPass /server ajp://localhost:8009/server ProxyPassReverse /server ajp://localhost:8009/server # A specific proxypass configuration for Angular ProxyPass / http://localhost:4000/ ProxyPassReverse / http://localhost:4000/ -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com<https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com?utm_medium=email&utm_source=footer>. -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148C320509D9BB4F29BFE45ED4A0%40DM5PR2201MB1148.namprd22.prod.outlook.com.
