Richard,
The lazysession.loginurl refers to the Shibboleth request initiator
endpoint that is configured for the Shibboleth Service Provider (ShibSP) that
you are using.
This configuration is done by the administrators of the "federation"
that you belong to (http://iamsect.ncl.ac.uk/deliverables/docs/federations/).
The lazysession.loginurl is appended to the domain name the machine
that your Dspace instance is running on e.g.
https://content.resourceshare.ac.uk/Shibboleth.sso/Login.
If you access this URL the browser will be re-directed to the
"Discovery" service (another end point that has to be configured for your
ShibSP) that allows the user to choose the institution at which they want to
authenticate. In my case I choose The University of Manchester as that is where
I have an account and the Shibboleth Identity Provider (ShibIDP) will provide
information to the ShibSP that is then passed through the web server to the
application server where it is available for DSpace to process.
As Shibboleth is designed to able to be used to protect many different
types of web services without affecting those services Dspace only has the need
to know where the browser should be re-directed to so that a Shibboleth session
can be established e.g. the lazysession.loginurl and the mapping from the
Authentication headers passed through to Dspace to the Dspace specific
parameters that are used to determine whether a user can be authenticated e.g.
# Authentication headers for Mail, NetID, and Tomcat's Remote User.
# Supply all parameters possible.
netid-header = net-id
email-header = SHIB-MAIL
email-use-tomcat-remote-user = false
The authenticate headers are defined in the Shibboleth configuration
(attribute-map.xml) and take the form:
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
id="net-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
The value of the id attribute is up to you but must match the one in the Dspace
Shibboleth configuration file.
To get Dspace to work with Shibboleth is straight forward if you have access to
the relevant information about how the ShibSP you intend to use is configured.
It is out of scope for the Dspace documentation to contain detailed information
on the setup and configuration of the Shibboleth system as this is a very
complex area (I know, I have had to do all the configuration of both Dspace and
Shibboleth).
Regards,
Ben
------------------------------------------------------------------
Dr Ben Ryan
Jorum Technical Manager
5.12 Roscoe Building
The University of Manchester
Oxford Road
Manchester
M13 9PL
Tel: 0160 275 6039
E-mail: benjamin.r...@manchester.ac.uk
------------------------------------------------------------------
-----Original Message-----
From: Richard Sims [mailto:r...@bu.edu]
Sent: 10 June 2013 14:57
To: DSpace Tech
Subject: Re: [Dspace-tech] lazysession.loginurl?
Thanks for your quick response...
On Jun 10, 2013, at 9:28 AM, helix84 <heli...@centrum.sk>
wrote:
> On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims <r...@bu.edu> wrote:
>> Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x there
>> is configuration File [dspace]/config/modules/authentication-shibboleth.cfg.
>> In it, there is a lazysession.loginurl parameter. Unfortunately, there is no
>> useful documentation on the parameter so as to provide any perspective or
>> guidance on what value to provide, saying only that it is "The url to start
>> a shibboleth session". And no customer examples can be found on the Web.
>
> Hi Richard,
>
> in fact, there were no code changes to the Shibboleth module between
> DSpace 1.8.2 and 3.0, which you can verify using:
> git diff dspace-1.8.2 dspace-3.0 --
> dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.ja
> va
As I indicated, I have been attempting to bring our 1.7 implementation up to a
3.1 level. Across that void there have been substantial changes.
>
> There is also documentation about lazy sessions and it includes the
> authentication.shib.lazysession.loginurl parameter:
> https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#Auth
> enticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1)
That is the documentation I was referencing. It is useless as to this
parameter. And its only example is:
lazysession.loginurl = /Shibboleth.sso/Login where it is obviously the case
that the value is not a URL (no protocol spec up front). The example only
obfuscates things further.
Attempting to use the file as-is results in the Web browser getting:
HTTP Status 404 - /Shibboleth.sso/Login Changing the parameter value and
restarting HTTPD and Tomcat make no difference: the error content is exactly
the same.
> If you need to find out the exact mechanism how it works in DSpace,
> you can look at the source (the auth modules are very self-contained):
> https://github.com/DSpace/DSpace/blob/dspace-3.1/dspace-api/src/main/j
> ava/org/dspace/authenticate/ShibAuthentication.java#L476
Please don't expect DSpace adopters to be Java programmers. It's bad enough
that mortals have to delve into trees of XML files to make intricate changes.
There needs to be straight-up, useful documentation of DSpace parameters. No
one should have to spend hours trying to divine what cryptic parameters are all
about. And I say this as someone who has been doing systems work and
documentation for 30 years.
Frankly, I'm appalled at how primitive DSpace is, and what people have to go
through to tailor it. This is not 21st century stuff - it's more like what we
went through in the 1980s to configure systems. DSpace is giving open source
software a bad reputation in having gross deficiencies like this.
>
> There is some more documentation about lazy sessions here:
> https://wiki.shibboleth.net/confluence/display/SHIB/LazySession
> https://aai-demo.switch.ch/lazy/
Again, this is not explaining the DSpace parameter, and is not a substitute for
DSpace documentation imparting understanding as it is supposed to.
If someone on the mailing list understands this parameter, I would appreciate
receiving some perspective on it.
>
>
> Regards,
> ~~helix84
>
> Compulsory reading: DSpace Mailing List Etiquette
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Richard Sims
Sr. Systems Engineer, Information Services & Technology Boston University T
(617)353-8249 r...@bu.edu http://www.bu.edu/tech
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations 2.
Dashboards that offer high-level views of enterprise services 3. A single
system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
