Hi, Do you have the attribute attributePrefix="AJP_" set in your ApplicationDefaults (in shibboleth2.xml)? I think we had similar problem with that setting as we are using that with older DSpace. Removing the AJP_ prefix and also adding "ShibUseHeaders On" in <Location "/server/api/authn/shibboleth"> and <Location "/server/api/authn/login"> solved this issue.
There was some discussion in: https://github.com/DSpace/DSpace/pull/2651#issuecomment-604902452 and DSpace 7 Shibboleth Configuration - DSpace - LYRASIS Wiki <https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration> " The AJP proxy only works (Ben Bosman <https://wiki.lyrasis.org/display/~benbosman>) if shibboleth2.xml *doesn't* contain the attribute *attributePrefix="AJP_"* in the ApplicationDefaults. " Best regards, Matti On Tuesday, June 27, 2023 at 4:33:20 PM UTC+3 Matthias Letsch wrote: > Hello, > > for some reason we won't get Shibboleth working. > > We have a test IdP and test credentials to log in, but something is still > not working. Our colleague from the IDP side says that the communication > between the Shib Daemon on our Server and the Shibboleth IdP is working and > therefore the tasks from his side are finished for now. But he suspects > that Dspace is not communicating properly with shibd and that we have to > change some configurations. > > As of now I am able get to the Shibboleth login page and to log in with > the test credentials and to accept the metadata usage, but then there is a > HTTP Status 403 report: > > HTTP Status 403 – Forbidden > ------------------------------ > > *Type* Status Report > > *Description* The server understood the request but refuses to authorize > it. > ------------------------------ > Apache Tomcat/9.0.31 (Debian) > > Has anyone had this problem and knows how to solve it? > > Thank you and kind regards > Matthias > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/34cb2eac-4f05-42d3-8511-9747531cdda3n%40googlegroups.com.
