On Mon, 10 Jun 2013, Mark H. Wood wrote: > So, from the DSpace installer's POV, the doco. should answer the > question: how do I generate the proper value for this variable? That > does seem to take some reading between the lines. The DSpace source > doesn't really help much here. You have to look at the way that > Shibboleth is plumbed into your web server. > > There seems to be an assumption that Apache HTTPD is used. My best
You will most certainly be using Apache as a front to tomcat/jetty if you are using or relying on the Shibboleth SP. > guess is that the value for lazysession.loginurl can be calculated by > finding something in the HTTPD configuration that looks like: > > <Location /Shibboleth.sso> > SetHandler shib > </Location> > > taking the argument to <Location> and appending "/Login". > > Can someone confirm that this is How To Do It? or supply the correct > procedure? I'd be happy to fix the DSpace documentation once I am > confident that I know what it should say. I've always assumed (yea-yea) that if your running Shib for your login you have some local resources to fall back on, local or back to the shib community. The concept of 'lazy login' comes into play if you have a website that in general does NOT need to be user/pass protected -- ie: searchable by the world etc. But, has some areas that need to have authn/z to function. So we are left with a protection example that looks like this in apache config.. <!-- --> <!-- Lazily protect the entire dspace site --> <!-- --> <Location /> AuthType Shibboleth ShibRequestSetting requireSession 0 Require shibboleth </Location> Your entry in to the dspace config would be that of the SP login initiator.. which by default is http(s)://<site>/Shibboleth.sso/Login This tells the shib-sp to kick off a login event which, directs to IdP or discovery page.. So, I'm purely guessing here that, in dspace 3 you are calling the initiator directly, hence the config entry, to get the login started rather than relying on an Apache <Location> block specific to where the shibboleth login code will be waiting. --- Contrast the older model.. In 1.7 era (which I'm still using) you protect a Dspace location "/shibboleth-login" which gets the login rolling and is able to parse out the return data from the headers. example of 1.7 ish <Location /shibboleth-login> AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On Require affiliation "member" </Location> ------ thanks kevin.foote ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
