Dear Tim,
I have the configuration:
authentication-shibboleth.lazysession = true
authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login
authentication-shibboleth.lazysession.secure = true
authentication-shibboleth.email-header = mail
authentication-shibboleth.email-use-tomcat-remote-user = false
authentication-shibboleth.autoregister = true
authentication-shibboleth.sword.compatibility = false
authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn
authentication-shibboleth.eperson.metadata.autocreate = true
authentication-shibboleth.reconvert.attributes = false
default-roles = internal
role.internal = ETDR_AUTO
authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION
authentication-shibboleth.role-header.ignore-scope = true
Ciprian
On 04/08/2020 17:47, Tim Donohue wrote:
Just a guess, but have you filled out the settings in your
"authentication-shibboleth.cfg" file?
https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg
DSpace needs to know which authentication header(s) are available in
your Shibboleth in order to authenticate. So, usually you'd need to
tell DSpace either the "netid-header", "email-header", or fallback to
using Tomcat's remove user. See this section:
https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg#L49-L95
This is the same Shibboleth configuration that DSpace used in DSpace
v6, so you can also reference those docs for more info:
https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
Once DSpace 7 is getting closer to production-ready, we'll have a
better guide specific to DSpace 7 obviously.
Tim
------------------------------------------------------------------------
*From:* [email protected] <[email protected]> on
behalf of Ciprian Pinzaru <[email protected]>
*Sent:* Tuesday, August 4, 2020 3:38 AM
*To:* DSpace Technical Support <[email protected]>
*Subject:* [dspace-tech] Dspace 7 shibboleth error
Dear community,
Please help me to fix the authentication error with shibboleth and
Dspace 7 beta 3
In the browser I have the message:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing
this as a fallback.
Tue Aug 04 11:09:27 EEST 2020
There was an unexpected error (type=Unauthorized, status=401).
Login failed
in the dspace logs:
2020-08-04 11:17:39,880 DEBUG
org.dspace.authenticate.ShibAuthentication @ ShibAuthentication -
attribute mail is empty!
2020-08-04 11:17:39,880 ERROR
org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication
was not able to find a NetId, Email, or Tomcat Remote user for which
to indentify a user from.
2020-08-04 11:17:39,881 DEBUG
org.dspace.authenticate.ShibAuthentication @ ShibAuthentication -
attribute mail is empty!
2020-08-04 11:17:39,881 DEBUG
org.dspace.authenticate.ShibAuthentication @ ShibAuthentication -
attribute givenName is empty!
2020-08-04 11:17:39,881 DEBUG
org.dspace.authenticate.ShibAuthentication @ ShibAuthentication -
attribute sn is empty!
2020-08-04 11:17:39,899 ERROR
org.dspace.authenticate.ShibAuthentication @ Unable to register new
eperson because we are unable to find an email address along with
first and last name for the user.
NetId Header: 'null'='null' (Optional)
Email Header: 'mail'='null'
First Name Header: 'givenName'='null'
Last Name Header: 'sn'='null'
But in the shibboleth I have the email:
2020-08-04
11:09:26|Shibboleth-TRANSACTION.Login|*[email protected]*|_37a933a02565057512061ad02ccb9e0e|https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45|*mail*|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0
(Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101
Firefox/78.0|zzzzz
The Apache configuration it is:
UseCanonicalName On
<Location /server/api/authn/shibboleth>
Require all granted
AuthType shibboleth
ShibUseHeaders On
ShibUseEnvironment On
Require shibboleth
</Location>
<Location /server/api/authn/login>
Require all granted
AuthType shibboleth
ShibUseHeaders On
ShibUseEnvironment On
Require shibboleth
</Location>
<Proxy *>
AddDefaultCharset Off
Require all granted
#Order deny,allow
#Allow from all
</Proxy>
SSLProxyEngine on
ProxyIOBufferSize 65536
ProxyRequests off
ProxyPreserveHost On
ProxyPass /Shibboleth.sso !
# A specific proxypass configuration for DSpace server (both server
and angular on the same machine)
ProxyPass /server ajp://localhost:8009/server
ProxyPassReverse /server ajp://localhost:8009/server
# A specific proxypass configuration for Angular
ProxyPass / http://localhost:4000/
ProxyPassReverse / http://localhost:4000/
--
All messages to this mailing list should adhere to the DuraSpace Code
of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google
Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com
<https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
All messages to this mailing list should adhere to the DuraSpace Code of
Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/fa693026-ac09-51cc-ec83-dfbb7d29cf1c%40gmail.com.
