Dear Tim,

I have the configuration:




authentication-shibboleth.lazysession = true

authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login

authentication-shibboleth.lazysession.secure = true



authentication-shibboleth.email-header = mail
authentication-shibboleth.email-use-tomcat-remote-user = false

authentication-shibboleth.autoregister = true

authentication-shibboleth.sword.compatibility = false



authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn


authentication-shibboleth.eperson.metadata.autocreate = true

authentication-shibboleth.reconvert.attributes = false


default-roles = internal
role.internal = ETDR_AUTO

authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION

authentication-shibboleth.role-header.ignore-scope = true

Ciprian


On 04/08/2020 17:47, Tim Donohue wrote:
Just a guess, but have you filled out the settings in your "authentication-shibboleth.cfg" file? https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg

DSpace needs to know which authentication header(s) are available in your Shibboleth in order to authenticate.  So, usually you'd need to tell DSpace either the "netid-header", "email-header", or fallback to using Tomcat's remove user.  See this section:
https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg#L49-L95

This is the same Shibboleth configuration that DSpace used in DSpace v6, so you can also reference those docs for more info: https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

Once DSpace 7 is getting closer to production-ready, we'll have a better guide specific to DSpace 7 obviously.

Tim
------------------------------------------------------------------------
*From:* [email protected] <[email protected]> on behalf of Ciprian Pinzaru <[email protected]>
*Sent:* Tuesday, August 4, 2020 3:38 AM
*To:* DSpace Technical Support <[email protected]>
*Subject:* [dspace-tech] Dspace 7 shibboleth error
Dear community,


Please help me to fix the authentication error with  shibboleth and Dspace 7 beta 3

In the browser I have the message:


  Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Aug 04 11:09:27 EEST 2020
There was an unexpected error (type=Unauthorized, status=401).
Login failed

in the dspace logs:


2020-08-04 11:17:39,880 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!

2020-08-04 11:17:39,880 ERROR org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute givenName is empty!

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty!

2020-08-04 11:17:39,899 ERROR org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.

NetId Header: 'null'='null' (Optional)

Email Header: 'mail'='null'

First Name Header: 'givenName'='null'

Last Name Header: 'sn'='null'




But in the shibboleth  I have the email:



2020-08-04 11:09:26|Shibboleth-TRANSACTION.Login|*[email protected]*|_37a933a02565057512061ad02ccb9e0e|https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45|*mail*|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0|zzzzz






The Apache configuration it is:



UseCanonicalName On



<Location /server/api/authn/shibboleth>

Require all granted

AuthType shibboleth

ShibUseHeaders On

ShibUseEnvironment On

Require shibboleth


</Location>

<Location /server/api/authn/login>

Require all granted

AuthType shibboleth

ShibUseHeaders On

ShibUseEnvironment On

Require shibboleth


</Location>


<Proxy *>

AddDefaultCharset Off

Require all granted

#Order deny,allow

#Allow from all

</Proxy>

SSLProxyEngine on


ProxyIOBufferSize 65536

ProxyRequests off

ProxyPreserveHost On

ProxyPass /Shibboleth.sso !


# A specific proxypass configuration for DSpace server (both server and angular on the same machine)

ProxyPass /server ajp://localhost:8009/server

ProxyPassReverse /server ajp://localhost:8009/server


# A specific proxypass configuration for Angular

ProxyPass / http://localhost:4000/

ProxyPassReverse / http://localhost:4000/

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com <https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/fa693026-ac09-51cc-ec83-dfbb7d29cf1c%40gmail.com.

Reply via email to