Hi together, I solved it. I still had to adjust the apache2/sites-enabled/default-ssl.conf exactly according to the template on the documentation: https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
Now it works. Matthias Letsch schrieb am Freitag, 30. Juni 2023 um 10:11:28 UTC+2: > Thank you for your reply. > > I have the OIDs delivered by the IDP which are the following: > > urn:oid:1.3.6.1.4.1.5923.1.1.1.6 > urn:oid:2.5.4.42 > urn:oid:2.5.4.4 > urn:oid:0.9.2342.19200300.100.1.3 > urn:oid:2.16.840.1.113730.3.1.241 > > So this is what I put into attribute-map.xml: > > <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB-NETID"/> > <Attribute name="urn:oid:2.5.4.42" id="SHIB-GIVENNAME"/> > <Attribute name="urn:oid:2.5.4.4" id="SHIB-SURNAME"/> > <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB-MAIL"/> > <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> > > And this is on the other side in > [dspace-backend]/config/modules/authentication-shibboleth.cfg: > > authentication-shibboleth.netid-header = SHIB-NETID > authentication-shibboleth.email-header = SHIB-MAIL > (...) > authentication-shibboleth.firstname-header = SHIB-GIVENNAME > authentication-shibboleth.lastname-header = SHIB-SURNAME > > If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all > arrives at DSpace from the login attempt. (403) > If I delete it, at least there is a 401 "authentication failed" and > dspace.log throws the error mentioned above. > > I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector in > tomcat9/conf/server.xml > > The inherited result is still the same. To make matters worse, now this > morning after these minimal changes in the Shib XML files and in > server.xml, for some reason the following came up when I tried to reload > the page: > > Service Unavailable > > The server is temporarily unable to service your request due to > maintenance downtime or capacity problems. Please try again later. > > Apache/2.4.38 (Debian) Server at ... Port 443 > > After resetting to the state before these changes the service runs > normally again (still without Shibboleth of course).Is it possible that it > is somehow due to the module? I don't know exactly, because our DSpace was > originally installed by an external company, but I guess that at the moment > only mod_proxy is used for the communication between Apache and Tomcat. > > Kind regards, > Matthias > Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2: > >> On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote: >> > This has at least resulted in the 403 becoming a 401 and DSpace >> noticing >> > something about the login attempt, which I consider positive progress. >> > >> > However, DSpace now complains in the logs that it cannot find the >> required >> > attributes: >> > >> > 2023-06-29 11:58:35,693 ERROR unknown unknown >> > org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication >> was >> > not able to find a NetId, Email, or Tomcat Remote user for which to >> > indentify a user from. >> > 2023-06-29 11:58:35,707 ERROR unknown unknown >> > org.dspace.authenticate.ShibAuthentication @ Unable to register new >> eperson >> > because we are unable to find an email address along with first and >> last >> > name for the user. >> > NetId Header: 'SHIB-NETID'='null' (Optional) >> > Email Header: 'SHIB-MAIL'='null' >> > First Name Header: 'SHIB-GIVENNAME'='null' >> > Last Name Header: 'SHIB-SURNAME'='null' >> > 2023-06-29 11:58:35,709 INFO unknown unknown >> > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ >> > anonymous::failed_login:email=null, result=4 >> > 2023-06-29 11:58:35,719 ERROR unknown unknown >> > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication >> failed >> > (status:401) >> > org.springframework.security.authentication.BadCredentialsException: >> Login >> > failed >> > >> > So I guess I need to modify the attribute-map.xml accordingly to match >> the >> > expected attributes under >> > [dspace]/config/modules/authentication-shibboleth.cfg. >> > >> > The documentation at >> > >> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication >> >> > provides a template for attribute-map with the attributes that seem to >> > match at first glance. >> > >> > But unfortunately that alone does not change anything for us. Do you >> > possibly know more about this? >> >> You need to know the OIDs used by your Shibboleth IDP to label the >> attributes that you want. These may vary from site to site. >> attribute-map.xml maps them to names SHIB-NETID and the rest. If you >> don't give the right OIDs, nothing will be mapped into the request. >> >> You also need to know (or set) the request attributes that DSpace >> expects. That's the other side of the mapping. >> >> Here we are using attributePrefix='AJP_' and it works. We do not set >> ShibUseHeaders. Tomcat will strip the prefix and pass the attributes >> through in the Request. But Tomcat must be configured to accept more >> than the default set of attributes: the AJP connector must have >> 'allowedRequestAttributesPattern='SHIB-.*' to let them through. >> >> -- >> Mark H. Wood >> Lead Technology Analyst >> >> University Library >> Indiana University - Purdue University Indianapolis >> 755 W. Michigan Street >> Indianapolis, IN 46202 >> 317-274-0749 <(317)%20274-0749> >> www.ulib.iupui.edu >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/e1c0744d-718e-469a-bcbb-337cb759dc2cn%40googlegroups.com.
