To anyone following along, Ben Ryan's description below is spot-on. It would be worth copying part of his message into the documentation. If I feel sufficiently full of pique, I might do so myself, though my day is pretty full of distractions already... I won't be offended if someone beats me to it.
-- HARDY POTTINGER <pottinge...@umsystem.edu> University of Missouri Library Systems http://lso.umsystem.edu/~pottingerhj/ https://MOspace.umsystem.edu/ "I am always doing that which I cannot do, in order that I may learn how to do it." --Pablo Picasso On 6/10/13 9:57 AM, "Benjamin Ryan" <benjamin.r...@manchester.ac.uk> wrote: >Richard, > The lazysession.loginurl refers to the Shibboleth request initiator >endpoint that is configured for the Shibboleth Service Provider (ShibSP) >that you are using. > > This configuration is done by the administrators of the "federation" >that you belong to >(http://iamsect.ncl.ac.uk/deliverables/docs/federations/). > > The lazysession.loginurl is appended to the domain name the machine that >your Dspace instance is running on e.g. >https://content.resourceshare.ac.uk/Shibboleth.sso/Login. > > If you access this URL the browser will be re-directed to the >"Discovery" service (another end point that has to be configured for your >ShibSP) that allows the user to choose the institution at which they want >to authenticate. In my case I choose The University of Manchester as that >is where I have an account and the Shibboleth Identity Provider (ShibIDP) >will provide information to the ShibSP that is then passed through the >web server to the application server where it is available for DSpace to >process. > > As Shibboleth is designed to able to be used to protect many different >types of web services without affecting those services Dspace only has >the need to know where the browser should be re-directed to so that a >Shibboleth session can be established e.g. the lazysession.loginurl and >the mapping from the Authentication headers passed through to Dspace to >the Dspace specific parameters that are used to determine whether a user >can be authenticated e.g. > ># Authentication headers for Mail, NetID, and Tomcat's Remote User. ># Supply all parameters possible. >netid-header = net-id >email-header = SHIB-MAIL >email-use-tomcat-remote-user = false > >The authenticate headers are defined in the Shibboleth configuration >(attribute-map.xml) and take the form: > ><Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >id="net-id"> > <AttributeDecoder xsi:type="NameIDAttributeDecoder" >formatter="$NameQualifier!$SPNameQualifier!$Name" >defaultQualifiers="true"/> ></Attribute> > >The value of the id attribute is up to you but must match the one in the >Dspace Shibboleth configuration file. > >To get Dspace to work with Shibboleth is straight forward if you have >access to the relevant information about how the ShibSP you intend to use >is configured. It is out of scope for the Dspace documentation to contain >detailed information on the setup and configuration of the Shibboleth >system as this is a very complex area (I know, I have had to do all the >configuration of both Dspace and Shibboleth). > >Regards, > Ben > >------------------------------------------------------------------ >Dr Ben Ryan >Jorum Technical Manager > >5.12 Roscoe Building >The University of Manchester >Oxford Road >Manchester >M13 9PL >Tel: 0160 275 6039 >E-mail: benjamin.r...@manchester.ac.uk >------------------------------------------------------------------ > > >-----Original Message----- >From: Richard Sims [mailto:r...@bu.edu] >Sent: 10 June 2013 14:57 >To: DSpace Tech >Subject: Re: [Dspace-tech] lazysession.loginurl? > >Thanks for your quick response... > >On Jun 10, 2013, at 9:28 AM, helix84 <heli...@centrum.sk> > wrote: > >> On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims <r...@bu.edu> wrote: >>> Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x >>>there is configuration File >>>[dspace]/config/modules/authentication-shibboleth.cfg. In it, there is >>>a lazysession.loginurl parameter. Unfortunately, there is no useful >>>documentation on the parameter so as to provide any perspective or >>>guidance on what value to provide, saying only that it is "The url to >>>start a shibboleth session". And no customer examples can be found on >>>the Web. >> >> Hi Richard, >> >> in fact, there were no code changes to the Shibboleth module between >> DSpace 1.8.2 and 3.0, which you can verify using: >> git diff dspace-1.8.2 dspace-3.0 -- >> dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.ja >> va > >As I indicated, I have been attempting to bring our 1.7 implementation up >to a 3.1 level. Across that void there have been substantial changes. > >> >> There is also documentation about lazy sessions and it includes the >> authentication.shib.lazysession.loginurl parameter: >> https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#Auth >> enticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1) > >That is the documentation I was referencing. It is useless as to this >parameter. And its only example is: > lazysession.loginurl = /Shibboleth.sso/Login where it is obviously the >case that the value is not a URL (no protocol spec up front). The example >only obfuscates things further. >Attempting to use the file as-is results in the Web browser getting: > HTTP Status 404 - /Shibboleth.sso/Login Changing the parameter value >and restarting HTTPD and Tomcat make no difference: the error content is >exactly the same. > >> If you need to find out the exact mechanism how it works in DSpace, >> you can look at the source (the auth modules are very self-contained): >> https://github.com/DSpace/DSpace/blob/dspace-3.1/dspace-api/src/main/j >> ava/org/dspace/authenticate/ShibAuthentication.java#L476 > >Please don't expect DSpace adopters to be Java programmers. It's bad >enough that mortals have to delve into trees of XML files to make >intricate changes. >There needs to be straight-up, useful documentation of DSpace parameters. >No one should have to spend hours trying to divine what cryptic >parameters are all about. And I say this as someone who has been doing >systems work and documentation for 30 years. >Frankly, I'm appalled at how primitive DSpace is, and what people have to >go through to tailor it. This is not 21st century stuff - it's more like >what we went through in the 1980s to configure systems. DSpace is giving >open source software a bad reputation in having gross deficiencies like >this. > >> >> There is some more documentation about lazy sessions here: >> https://wiki.shibboleth.net/confluence/display/SHIB/LazySession >> https://aai-demo.switch.ch/lazy/ > >Again, this is not explaining the DSpace parameter, and is not a >substitute for DSpace documentation imparting understanding as it is >supposed to. > >If someone on the mailing list understands this parameter, I would >appreciate receiving some perspective on it. > >> >> >> Regards, >> ~~helix84 >> >> Compulsory reading: DSpace Mailing List Etiquette >> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > >Richard Sims >Sr. Systems Engineer, Information Services & Technology Boston University >T (617)353-8249 r...@bu.edu http://www.bu.edu/tech > > >-------------------------------------------------------------------------- >---- >How ServiceNow helps IT people transform IT departments: >1. A cloud service to automate IT design, transition and operations 2. >Dashboards that offer high-level views of enterprise services 3. A single >system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j >_______________________________________________ >DSpace-tech mailing list >DSpace-tech@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/dspace-tech >List Etiquette: >https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > >-------------------------------------------------------------------------- >---- >How ServiceNow helps IT people transform IT departments: >1. A cloud service to automate IT design, transition and operations >2. Dashboards that offer high-level views of enterprise services >3. A single system of record for all IT processes >http://p.sf.net/sfu/servicenow-d2d-j >_______________________________________________ >DSpace-tech mailing list >DSpace-tech@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/dspace-tech >List Etiquette: >https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette