I would like to share an issue I experienced today and is likely to come
up with any new invenio/shibboleth installations.
It seems the in recent shibboleth rpms (at least 2.5.x ones) there is a
new directive that goes by default into shibd.conf and breaks how
invenio interacts with the shibd deamon.
The 'suspicious' new code in shibd.conf is the following:
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
A simple test to replicate the problem (provided that you have at least
set up invenio-apache-vhost-ssl.conf to use shibboleth) is to check for
a link that should -normally- be handled by shibboleth. For example:
/Shibboleth.sso/Login
The symptom is that the relevant part of the
invenio-apache-vhost-ssl.conf is overridden for the /Shibboleth.sso/
urls and hence not handled properly... Thus, instead of logging in, you
get a 404 error from Invenio.
The solution is to remove (or comment-out) the relevant 4 lines from
shibd.conf and restart apache.
In case you verify my findings, you might want to put a note in the
HowToIntegrateWithShibboleth wiki entry...
Best regards,
Theodoros Theodoropoulos
ps. Although it's simple to understand once you see it, it took me ~4
hours to rule out all other possible shibboleth/invenio/wsgi/etc
configuration problems and start looking at the basic apache
configurations line-by-line...