On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote: > This has at least resulted in the 403 becoming a 401 and DSpace noticing > something about the login attempt, which I consider positive progress. > > However, DSpace now complains in the logs that it cannot find the required > attributes: > > 2023-06-29 11:58:35,693 ERROR unknown unknown > org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was > not able to find a NetId, Email, or Tomcat Remote user for which to > indentify a user from. > 2023-06-29 11:58:35,707 ERROR unknown unknown > org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson > because we are unable to find an email address along with first and last > name for the user. > NetId Header: 'SHIB-NETID'='null' (Optional) > Email Header: 'SHIB-MAIL'='null' > First Name Header: 'SHIB-GIVENNAME'='null' > Last Name Header: 'SHIB-SURNAME'='null' > 2023-06-29 11:58:35,709 INFO unknown unknown > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ > anonymous::failed_login:email=null, result=4 > 2023-06-29 11:58:35,719 ERROR unknown unknown > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed > (status:401) > org.springframework.security.authentication.BadCredentialsException: Login > failed > > So I guess I need to modify the attribute-map.xml accordingly to match the > expected attributes under > [dspace]/config/modules/authentication-shibboleth.cfg. > > The documentation at > https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication > > provides a template for attribute-map with the attributes that seem to > match at first glance. > > But unfortunately that alone does not change anything for us. Do you > possibly know more about this?
You need to know the OIDs used by your Shibboleth IDP to label the attributes that you want. These may vary from site to site. attribute-map.xml maps them to names SHIB-NETID and the rest. If you don't give the right OIDs, nothing will be mapped into the request. You also need to know (or set) the request attributes that DSpace expects. That's the other side of the mapping. Here we are using attributePrefix='AJP_' and it works. We do not set ShibUseHeaders. Tomcat will strip the prefix and pass the attributes through in the Request. But Tomcat must be configured to accept more than the default set of attributes: the AJP connector must have 'allowedRequestAttributesPattern='SHIB-.*' to let them through. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ZJ2Nwy4fJH_UE1jD%40IUPUI.Edu.
signature.asc
Description: PGP signature