Re: [Dspace-tech] lazysession.loginurl?
On Mon, Jun 10, 2013 at 06:39:54PM +, Pottinger, Hardy J. wrote: To anyone following along, Ben Ryan's description below is spot-on. It would be worth copying part of his message into the documentation. If I feel sufficiently full of pique, I might do so myself, though my day is pretty full of distractions already... I won't be offended if someone beats me to it. OK, I may be dense this week, but I'm still uncertain. This is a good explanation of how Shibboleth lazy login works, but I still don't see the one thing that a DSpace installer wants to know: What is the algorithm for calculating the proper value for lazysession.loginurl, at my site, from my site's Apache configuration (which may be different from yours and everyone else's) and my site's Shibboleth configuration (which also may be different from yours and everyone else's)? What files do I need to read, what values should I look for, and how do I combine them to yield this local-path that DSpace wants? The answer to that question would be proper documentation for this feature of DSpace. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
On Tue, 11 Jun 2013, Mark H. Wood wrote: On Mon, Jun 10, 2013 at 06:39:54PM +, Pottinger, Hardy J. wrote: To anyone following along, Ben Ryan's description below is spot-on. It would be worth copying part of his message into the documentation. If I feel sufficiently full of pique, I might do so myself, though my day is pretty full of distractions already... I won't be offended if someone beats me to it. OK, I may be dense this week, but I'm still uncertain. This is a good explanation of how Shibboleth lazy login works, but I still don't see the one thing that a DSpace installer wants to know: What is the algorithm for calculating the proper value for lazysession.loginurl, at my site, from my site's Apache configuration (which may be different from yours and everyone else's) and my site's Shibboleth configuration (which also may be different from yours and everyone else's)? What files do I need to read, what values should I look for, and how do I combine them to yield this local-path that DSpace wants? The answer to that question would be proper documentation for this feature of DSpace. I believe that the two shib admins who have spoken up (Ben / I ) have said this already.. lazysessions in the shib world is a way to tell the web container (apache) that we are using shibboleth for authn/z withOUT requiring a login right away. A lazy sesision configured Location block is as follows.. Location / AuthType shibboleth ShibRequestSetting requireSession 0 Require shibboleth /Location The default (always works) way to get a shib session flow started when using the Shibboleth SP is hitting the following URL http(s)://site/Shibboleth.sso/Login I would guess the algorithm for calculating is .. :-) protocol + site + shibboleth handler + Login ... Once you are returned from that back to the dspace env/app it is assumed that the REMOTE_USER and any other headers are able to be pulled out by the dspace login routines or, that it (dspace) will be looking for them anyway.. -- thanks kevin.foote -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
Mark, 1. Shibboleth.sso is the default - this will not change unless you have multiple applications protected by Shibboleth. 2. The parts of the path are scheme + vhost + /Shibboleth.sso + Location 3. vhost will come from the configured virtual host in your Apache config (i.e. site-enabled/mySite.conf) 4. Scheme should be self explanatory i.e. https 5. The last part is the tricky one as it depends on what version of Shibboleth SP you are running and how you have configured things. 6. Location is defined in the shibboleth2.xml in the shibboleth/etc/shibboleth directory (For Shib 2 upwards), however the Login location is not generally defined (I just define locations for Metadata, Status and Session for debugging purposes but do not run them in production). It will appear in the metadata that is distributed to the members of the federation who will use this information to know where to access various parts of the Shibboleth system as they authenticate users. The simplest thing to do is assume the defaults e.g. https://mysite.org/Shibboleth.sso/Login so the only information you need is the virtual host configured in the Apache config to be protected by Shibboleth. If this does not work out of the box then you will need someone who knows Shib unfortunately. Regards, Ben -- Dr Ben Ryan Jorum Technical Coordinator (Services) 5.13 Roscoe Building The University of Manchester Oxford Road Manchester M13 9PL Tel: 0161 275 0632 E-mail: benjamin.r...@manchester.ac.uk -- -Original Message- From: Mark H. Wood [mailto:mw...@iupui.edu] Sent: 11 June 2013 14:05 To: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] lazysession.loginurl? On Mon, Jun 10, 2013 at 06:39:54PM +, Pottinger, Hardy J. wrote: To anyone following along, Ben Ryan's description below is spot-on. It would be worth copying part of his message into the documentation. If I feel sufficiently full of pique, I might do so myself, though my day is pretty full of distractions already... I won't be offended if someone beats me to it. OK, I may be dense this week, but I'm still uncertain. This is a good explanation of how Shibboleth lazy login works, but I still don't see the one thing that a DSpace installer wants to know: What is the algorithm for calculating the proper value for lazysession.loginurl, at my site, from my site's Apache configuration (which may be different from yours and everyone else's) and my site's Shibboleth configuration (which also may be different from yours and everyone else's)? What files do I need to read, what values should I look for, and how do I combine them to yield this local-path that DSpace wants? The answer to that question would be proper documentation for this feature of DSpace. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims r...@bu.edu wrote: Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x there is configuration File [dspace]/config/modules/authentication-shibboleth.cfg. In it, there is a lazysession.loginurl parameter. Unfortunately, there is no useful documentation on the parameter so as to provide any perspective or guidance on what value to provide, saying only that it is The url to start a shibboleth session. And no customer examples can be found on the Web. Hi Richard, in fact, there were no code changes to the Shibboleth module between DSpace 1.8.2 and 3.0, which you can verify using: git diff dspace-1.8.2 dspace-3.0 -- dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java There is also documentation about lazy sessions and it includes the authentication.shib.lazysession.loginurl parameter: https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1) If you need to find out the exact mechanism how it works in DSpace, you can look at the source (the auth modules are very self-contained): https://github.com/DSpace/DSpace/blob/dspace-3.1/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java#L476 There is some more documentation about lazy sessions here: https://wiki.shibboleth.net/confluence/display/SHIB/LazySession https://aai-demo.switch.ch/lazy/ Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
Thanks for your quick response... On Jun 10, 2013, at 9:28 AM, helix84 heli...@centrum.sk wrote: On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims r...@bu.edu wrote: Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x there is configuration File [dspace]/config/modules/authentication-shibboleth.cfg. In it, there is a lazysession.loginurl parameter. Unfortunately, there is no useful documentation on the parameter so as to provide any perspective or guidance on what value to provide, saying only that it is The url to start a shibboleth session. And no customer examples can be found on the Web. Hi Richard, in fact, there were no code changes to the Shibboleth module between DSpace 1.8.2 and 3.0, which you can verify using: git diff dspace-1.8.2 dspace-3.0 -- dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java As I indicated, I have been attempting to bring our 1.7 implementation up to a 3.1 level. Across that void there have been substantial changes. There is also documentation about lazy sessions and it includes the authentication.shib.lazysession.loginurl parameter: https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#AuthenticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1) That is the documentation I was referencing. It is useless as to this parameter. And its only example is: lazysession.loginurl = /Shibboleth.sso/Login where it is obviously the case that the value is not a URL (no protocol spec up front). The example only obfuscates things further. Attempting to use the file as-is results in the Web browser getting: HTTP Status 404 - /Shibboleth.sso/Login Changing the parameter value and restarting HTTPD and Tomcat make no difference: the error content is exactly the same. If you need to find out the exact mechanism how it works in DSpace, you can look at the source (the auth modules are very self-contained): https://github.com/DSpace/DSpace/blob/dspace-3.1/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java#L476 Please don't expect DSpace adopters to be Java programmers. It's bad enough that mortals have to delve into trees of XML files to make intricate changes. There needs to be straight-up, useful documentation of DSpace parameters. No one should have to spend hours trying to divine what cryptic parameters are all about. And I say this as someone who has been doing systems work and documentation for 30 years. Frankly, I'm appalled at how primitive DSpace is, and what people have to go through to tailor it. This is not 21st century stuff - it's more like what we went through in the 1980s to configure systems. DSpace is giving open source software a bad reputation in having gross deficiencies like this. There is some more documentation about lazy sessions here: https://wiki.shibboleth.net/confluence/display/SHIB/LazySession https://aai-demo.switch.ch/lazy/ Again, this is not explaining the DSpace parameter, and is not a substitute for DSpace documentation imparting understanding as it is supposed to. If someone on the mailing list understands this parameter, I would appreciate receiving some perspective on it. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette Richard Sims Sr. Systems Engineer, Information Services Technology Boston University T (617)353-8249 r...@bu.edu http://www.bu.edu/tech -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
Richard, The lazysession.loginurl refers to the Shibboleth request initiator endpoint that is configured for the Shibboleth Service Provider (ShibSP) that you are using. This configuration is done by the administrators of the federation that you belong to (http://iamsect.ncl.ac.uk/deliverables/docs/federations/). The lazysession.loginurl is appended to the domain name the machine that your Dspace instance is running on e.g. https://content.resourceshare.ac.uk/Shibboleth.sso/Login. If you access this URL the browser will be re-directed to the Discovery service (another end point that has to be configured for your ShibSP) that allows the user to choose the institution at which they want to authenticate. In my case I choose The University of Manchester as that is where I have an account and the Shibboleth Identity Provider (ShibIDP) will provide information to the ShibSP that is then passed through the web server to the application server where it is available for DSpace to process. As Shibboleth is designed to able to be used to protect many different types of web services without affecting those services Dspace only has the need to know where the browser should be re-directed to so that a Shibboleth session can be established e.g. the lazysession.loginurl and the mapping from the Authentication headers passed through to Dspace to the Dspace specific parameters that are used to determine whether a user can be authenticated e.g. # Authentication headers for Mail, NetID, and Tomcat's Remote User. # Supply all parameters possible. netid-header = net-id email-header = SHIB-MAIL email-use-tomcat-remote-user = false The authenticate headers are defined in the Shibboleth configuration (attribute-map.xml) and take the form: Attribute name=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent id=net-id AttributeDecoder xsi:type=NameIDAttributeDecoder formatter=$NameQualifier!$SPNameQualifier!$Name defaultQualifiers=true/ /Attribute The value of the id attribute is up to you but must match the one in the Dspace Shibboleth configuration file. To get Dspace to work with Shibboleth is straight forward if you have access to the relevant information about how the ShibSP you intend to use is configured. It is out of scope for the Dspace documentation to contain detailed information on the setup and configuration of the Shibboleth system as this is a very complex area (I know, I have had to do all the configuration of both Dspace and Shibboleth). Regards, Ben -- Dr Ben Ryan Jorum Technical Manager 5.12 Roscoe Building The University of Manchester Oxford Road Manchester M13 9PL Tel: 0160 275 6039 E-mail: benjamin.r...@manchester.ac.uk -- -Original Message- From: Richard Sims [mailto:r...@bu.edu] Sent: 10 June 2013 14:57 To: DSpace Tech Subject: Re: [Dspace-tech] lazysession.loginurl? Thanks for your quick response... On Jun 10, 2013, at 9:28 AM, helix84 heli...@centrum.sk wrote: On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims r...@bu.edu wrote: Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x there is configuration File [dspace]/config/modules/authentication-shibboleth.cfg. In it, there is a lazysession.loginurl parameter. Unfortunately, there is no useful documentation on the parameter so as to provide any perspective or guidance on what value to provide, saying only that it is The url to start a shibboleth session. And no customer examples can be found on the Web. Hi Richard, in fact, there were no code changes to the Shibboleth module between DSpace 1.8.2 and 3.0, which you can verify using: git diff dspace-1.8.2 dspace-3.0 -- dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.ja va As I indicated, I have been attempting to bring our 1.7 implementation up to a 3.1 level. Across that void there have been substantial changes. There is also documentation about lazy sessions and it includes the authentication.shib.lazysession.loginurl parameter: https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#Auth enticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1) That is the documentation I was referencing. It is useless as to this parameter. And its only example is: lazysession.loginurl = /Shibboleth.sso/Login where it is obviously the case that the value is not a URL (no protocol spec up front). The example only obfuscates things further. Attempting to use the file as-is results in the Web browser getting: HTTP Status 404 - /Shibboleth.sso/Login Changing the parameter value and restarting HTTPD and Tomcat make no difference: the error content is exactly the same. If you need to find out the exact mechanism how it works in DSpace, you can look at the source (the auth modules are very self
Re: [Dspace-tech] lazysession.loginurl?
On Mon, Jun 10, 2013 at 3:57 PM, Richard Sims r...@bu.edu wrote: As I indicated, I have been attempting to bring our 1.7 implementation up to a 3.1 level. Across that void there have been substantial changes. I'm sorry, I misread 1.7 as 1.8. You're right, of course. Please don't expect DSpace adopters to be Java programmers. It's bad enough that mortals have to delve into trees of XML files to make intricate changes. There needs to be straight-up, useful documentation of DSpace parameters. No one should have to spend hours trying to divine what cryptic parameters are all about. And I say this as someone who has been doing systems work and documentation for 30 years. Frankly, I'm appalled at how primitive DSpace is, and what people have to go through to tailor it. This is not 21st century stuff - it's more like what we went through in the 1980s to configure systems. DSpace is giving open source software a bad reputation in having gross deficiencies like this. I'm aware that our documentation has its problems in many areas, unfortunately. As you surely understand this is a purely volunteer effort and manpower is a problem - moreover, there are not many experts available for specific areas like this one. If you happen to figure out your problem, we would appreciate if you could rewrite whatever you feel is lacking in a manner that will be easy to understand for future visitors. Editing the wiki is not restricted and only requires registration. We're giving edit access to the offical documentation on request (to prevent spam) - simply send us your Jira/wiki username. Good luck with your DSpace implementation and sorry I couldn't help in this case. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
So, from the DSpace installer's POV, the doco. should answer the question: how do I generate the proper value for this variable? That does seem to take some reading between the lines. The DSpace source doesn't really help much here. You have to look at the way that Shibboleth is plumbed into your web server. There seems to be an assumption that Apache HTTPD is used. My best guess is that the value for lazysession.loginurl can be calculated by finding something in the HTTPD configuration that looks like: Location /Shibboleth.sso SetHandler shib /Location taking the argument to Location and appending /Login. Can someone confirm that this is How To Do It? or supply the correct procedure? I'd be happy to fix the DSpace documentation once I am confident that I know what it should say. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] lazysession.loginurl?
To anyone following along, Ben Ryan's description below is spot-on. It would be worth copying part of his message into the documentation. If I feel sufficiently full of pique, I might do so myself, though my day is pretty full of distractions already... I won't be offended if someone beats me to it. -- HARDY POTTINGER pottinge...@umsystem.edu University of Missouri Library Systems http://lso.umsystem.edu/~pottingerhj/ https://MOspace.umsystem.edu/ I am always doing that which I cannot do, in order that I may learn how to do it. --Pablo Picasso On 6/10/13 9:57 AM, Benjamin Ryan benjamin.r...@manchester.ac.uk wrote: Richard, The lazysession.loginurl refers to the Shibboleth request initiator endpoint that is configured for the Shibboleth Service Provider (ShibSP) that you are using. This configuration is done by the administrators of the federation that you belong to (http://iamsect.ncl.ac.uk/deliverables/docs/federations/). The lazysession.loginurl is appended to the domain name the machine that your Dspace instance is running on e.g. https://content.resourceshare.ac.uk/Shibboleth.sso/Login. If you access this URL the browser will be re-directed to the Discovery service (another end point that has to be configured for your ShibSP) that allows the user to choose the institution at which they want to authenticate. In my case I choose The University of Manchester as that is where I have an account and the Shibboleth Identity Provider (ShibIDP) will provide information to the ShibSP that is then passed through the web server to the application server where it is available for DSpace to process. As Shibboleth is designed to able to be used to protect many different types of web services without affecting those services Dspace only has the need to know where the browser should be re-directed to so that a Shibboleth session can be established e.g. the lazysession.loginurl and the mapping from the Authentication headers passed through to Dspace to the Dspace specific parameters that are used to determine whether a user can be authenticated e.g. # Authentication headers for Mail, NetID, and Tomcat's Remote User. # Supply all parameters possible. netid-header = net-id email-header = SHIB-MAIL email-use-tomcat-remote-user = false The authenticate headers are defined in the Shibboleth configuration (attribute-map.xml) and take the form: Attribute name=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent id=net-id AttributeDecoder xsi:type=NameIDAttributeDecoder formatter=$NameQualifier!$SPNameQualifier!$Name defaultQualifiers=true/ /Attribute The value of the id attribute is up to you but must match the one in the Dspace Shibboleth configuration file. To get Dspace to work with Shibboleth is straight forward if you have access to the relevant information about how the ShibSP you intend to use is configured. It is out of scope for the Dspace documentation to contain detailed information on the setup and configuration of the Shibboleth system as this is a very complex area (I know, I have had to do all the configuration of both Dspace and Shibboleth). Regards, Ben -- Dr Ben Ryan Jorum Technical Manager 5.12 Roscoe Building The University of Manchester Oxford Road Manchester M13 9PL Tel: 0160 275 6039 E-mail: benjamin.r...@manchester.ac.uk -- -Original Message- From: Richard Sims [mailto:r...@bu.edu] Sent: 10 June 2013 14:57 To: DSpace Tech Subject: Re: [Dspace-tech] lazysession.loginurl? Thanks for your quick response... On Jun 10, 2013, at 9:28 AM, helix84 heli...@centrum.sk wrote: On Mon, Jun 10, 2013 at 2:57 PM, Richard Sims r...@bu.edu wrote: Shibboleth configuration has greatly changed since DSpace 1.7. In 3.x there is configuration File [dspace]/config/modules/authentication-shibboleth.cfg. In it, there is a lazysession.loginurl parameter. Unfortunately, there is no useful documentation on the parameter so as to provide any perspective or guidance on what value to provide, saying only that it is The url to start a shibboleth session. And no customer examples can be found on the Web. Hi Richard, in fact, there were no code changes to the Shibboleth module between DSpace 1.8.2 and 3.0, which you can verify using: git diff dspace-1.8.2 dspace-3.0 -- dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.ja va As I indicated, I have been attempting to bring our 1.7 implementation up to a 3.1 level. Across that void there have been substantial changes. There is also documentation about lazy sessions and it includes the authentication.shib.lazysession.loginurl parameter: https://wiki.duraspace.org/display/DSDOC3x/Authentication+Plugins#Auth enticationPlugins-ConfiguringShibbolethAuthentication(DSpace1.8.1) That is the documentation I was referencing. It is useless
Re: [Dspace-tech] lazysession.loginurl?
Hi, here is a definition of what Shibboleth means by Lazy Session: https://wiki.shibboleth.net/confluence/display/SHIB/LazySession (note, link is to the older Shib 1.3 documentation, I can't find the corresponding page in the 2.x documentation). In a nutshell, a Lazy Session configuration of Shibboleth allows attributes from an already-established session to be passed to your application, but does not actually require such an existing session. A Lazy Session Login URL would be where you would need to send a user should the session need to be recreated or refreshed for some reason. In your Apache config file, here's how you'd configure a lazy session: # turn on Shibboleth Lazy Session Location / AuthType shibboleth ShibRequireSession Off require shibboleth /Location If you instead pass a value of ShibRequireSession On or ShibRequireSession True, you would force all visitors to login when they encounter any URL to your site. So, in a Lazy Session environment, you still need a way for your application to create new sessions and/or refresh existing ones. If you are using Shibboleth authentication at your institution, I recommend utilizing Lazy Sessions, as it's how you deliver on the promise of a single sign on, otherwise you're asking people to log in yet again, using the same credentials they use elsewhere. -- HARDY POTTINGER pottinge...@umsystem.edu University of Missouri Library Systems http://lso.umsystem.edu/~pottingerhj/ https://MOspace.umsystem.edu/ Every last one of us can do better than give up.-- Sugar On 6/10/13 1:47 PM, Kevin P. Foote kpfo...@iup.edu wrote: On Mon, 10 Jun 2013, Mark H. Wood wrote: So, from the DSpace installer's POV, the doco. should answer the question: how do I generate the proper value for this variable? That does seem to take some reading between the lines. The DSpace source doesn't really help much here. You have to look at the way that Shibboleth is plumbed into your web server. There seems to be an assumption that Apache HTTPD is used. My best You will most certainly be using Apache as a front to tomcat/jetty if you are using or relying on the Shibboleth SP. guess is that the value for lazysession.loginurl can be calculated by finding something in the HTTPD configuration that looks like: Location /Shibboleth.sso SetHandler shib /Location taking the argument to Location and appending /Login. Can someone confirm that this is How To Do It? or supply the correct procedure? I'd be happy to fix the DSpace documentation once I am confident that I know what it should say. I've always assumed (yea-yea) that if your running Shib for your login you have some local resources to fall back on, local or back to the shib community. The concept of 'lazy login' comes into play if you have a website that in general does NOT need to be user/pass protected -- ie: searchable by the world etc. But, has some areas that need to have authn/z to function. So we are left with a protection example that looks like this in apache config.. !-- -- !-- Lazily protect the entire dspace site -- !-- -- Location / AuthType Shibboleth ShibRequestSetting requireSession 0 Require shibboleth /Location Your entry in to the dspace config would be that of the SP login initiator.. which by default is http(s)://site/Shibboleth.sso/Login This tells the shib-sp to kick off a login event which, directs to IdP or discovery page.. So, I'm purely guessing here that, in dspace 3 you are calling the initiator directly, hence the config entry, to get the login started rather than relying on an Apache Location block specific to where the shibboleth login code will be waiting. --- Contrast the older model.. In 1.7 era (which I'm still using) you protect a Dspace location /shibboleth-login which gets the login rolling and is able to parse out the return data from the headers. example of 1.7 ish Location /shibboleth-login AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On Require affiliation member /Location -- thanks kevin.foote -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
