Hallo Matti, thank you very much!
This has at least resulted in the 403 becoming a 401 and DSpace noticing something about the login attempt, which I consider positive progress. However, DSpace now complains in the logs that it cannot find the required attributes: 2023-06-29 11:58:35,693 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from. 2023-06-29 11:58:35,707 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user. NetId Header: 'SHIB-NETID'='null' (Optional) Email Header: 'SHIB-MAIL'='null' First Name Header: 'SHIB-GIVENNAME'='null' Last Name Header: 'SHIB-SURNAME'='null' 2023-06-29 11:58:35,709 INFO unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4 2023-06-29 11:58:35,719 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401) org.springframework.security.authentication.BadCredentialsException: Login failed So I guess I need to modify the attribute-map.xml accordingly to match the expected attributes under [dspace]/config/modules/authentication-shibboleth.cfg. The documentation at https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication provides a template for attribute-map with the attributes that seem to match at first glance. But unfortunately that alone does not change anything for us. Do you possibly know more about this? Thanks again and best regards Matthias Matti Yrjölä schrieb am Mittwoch, 28. Juni 2023 um 18:03:53 UTC+2: > Hi, > > Do you have the attribute attributePrefix="AJP_" set in your > ApplicationDefaults (in shibboleth2.xml)? > I think we had similar problem with that setting as we are using that with > older DSpace. > Removing the AJP_ prefix and also adding "ShibUseHeaders On" in > <Location "/server/api/authn/shibboleth"> and <Location > "/server/api/authn/login"> solved this issue. > > There was some discussion in: > https://github.com/DSpace/DSpace/pull/2651#issuecomment-604902452 > and > DSpace 7 Shibboleth Configuration - DSpace - LYRASIS Wiki > <https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration> > " The AJP proxy only works (Ben Bosman > <https://wiki.lyrasis.org/display/~benbosman>) if shibboleth2.xml > *doesn't* contain the attribute *attributePrefix="AJP_"* in > the ApplicationDefaults. " > > Best regards, > Matti > > On Tuesday, June 27, 2023 at 4:33:20 PM UTC+3 Matthias Letsch wrote: > >> Hello, >> >> for some reason we won't get Shibboleth working. >> >> We have a test IdP and test credentials to log in, but something is still >> not working. Our colleague from the IDP side says that the communication >> between the Shib Daemon on our Server and the Shibboleth IdP is working and >> therefore the tasks from his side are finished for now. But he suspects >> that Dspace is not communicating properly with shibd and that we have to >> change some configurations. >> >> As of now I am able get to the Shibboleth login page and to log in with >> the test credentials and to accept the metadata usage, but then there is a >> HTTP Status 403 report: >> >> HTTP Status 403 – Forbidden >> ------------------------------ >> >> *Type* Status Report >> >> *Description* The server understood the request but refuses to authorize >> it. >> ------------------------------ >> Apache Tomcat/9.0.31 (Debian) >> >> Has anyone had this problem and knows how to solve it? >> >> Thank you and kind regards >> Matthias >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/a3a7e624-986c-4b41-8811-0d8535416cd1n%40googlegroups.com.
