This application has no explicit mapping for /error, so you are seeing this as a fallback.
2020-08-04 11:17:39,880 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!
2020-08-04 11:17:39,880 ERROR org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.
2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!
2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute givenName is empty!
2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty!
2020-08-04 11:17:39,899 ERROR org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.
NetId Header: 'null'='null' (Optional)
Email Header: 'mail'='null'
First Name Header: 'givenName'='null'
Last Name Header: 'sn'='null'
But in the shibboleth I have the email:
2020-08-04 11:09:26|Shibboleth-TRANSACTION.Login|te...@example.com|_37a933a02565057512061ad02ccb9e0e|https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45|mail|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0|zzzzz
The Apache configuration it is:
UseCanonicalName On
<Location /server/api/authn/shibboleth>
Require all granted
AuthType shibboleth
ShibUseHeaders On
ShibUseEnvironment On
Require shibboleth
</Location>
<Location /server/api/authn/login>
Require all granted
AuthType shibboleth
ShibUseHeaders On
ShibUseEnvironment On
Require shibboleth
</Location>
<Proxy *>
AddDefaultCharset Off
Require all granted
#Order deny,allow
#Allow from all
</Proxy>
SSLProxyEngine on
ProxyIOBufferSize 65536
ProxyRequests off
ProxyPreserveHost On
ProxyPass /Shibboleth.sso !
# A specific proxypass configuration for DSpace server (both server and angular on the same machine)
ProxyPass /server ajp://localhost:8009/server
ProxyPassReverse /server ajp://localhost:8009/server
# A specific proxypass configuration for Angular
ProxyPass / http://localhost:4000/
ProxyPassReverse / http://localhost:4000/
Dear Tim,
I have the configuration:
authentication-shibboleth.lazysession = true
authentication-shibboleth.lazysession.loginurl =
/Shibboleth.sso/Login
authentication-shibboleth.lazysession.secure = true
authentication-shibboleth.email-header = mail
authentication-shibboleth.email-use-tomcat-remote-user = false
authentication-shibboleth.autoregister = true
authentication-shibboleth.sword.compatibility = false
authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn
authentication-shibboleth.eperson.metadata.autocreate = true
authentication-shibboleth.reconvert.attributes = false
default-roles = internal
role.internal = ETDR_AUTO
authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION
authentication-shibboleth.role-header.ignore-scope = true
Ciprian
I find an message like:
INFO org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4
2020-08-04 18:12:57,053 INFO org.springframework.security.web.DefaultSecurityFilterChain @ Creating filter chain: Ant [pattern='/api/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@43d7f719, org.springframework.security.web.context.SecurityContextPersistenceFilter@e5c20f0, org.springframework.security.web.header.HeaderWriterFilter@148a6d4b, org.springframework.web.filter.CorsFilter@8eb6f8d, org.dspace.app.rest.security.StatelessAuthenticationFilter@1bd3eb22, org.dspace.app.rest.security.StatelessLoginFilter@44823e3, org.dspace.app.rest.security.ShibbolethAuthenticationFilter@785b634c, org.springframework.security.web.authentication.logout.LogoutFilter@1f754887, org.dspace.app.rest.security.AnonymousAdditionalAuthorizationFilter@2b9feccd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1ab55f03, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@60b02a97, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2f918867, org.springframework.security.web.session.SessionManagementFilter@3fa4fdb9, org.springframework.security.web.access.ExceptionTranslationFilter@5effff08, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@647f6f74]
2020-08-04 18:14:33,306 DEBUG
org.dspace.app.rest.security.ShibbolethAuthenticationFilter @
Request is to process authentication
but not your message.
authentication-shibboleth.email-header = mail
Darryl Friesen, BSc
Programmer/Analyst
University of Saskatchewan
ICT / University Library