Dspace 7 shibboleth error

[Ciprian Pinzaru]

Dear community,

Please help me to fix the authentication error with  shibboleth and Dspace 7 beta 3

In the browser I have the message:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Aug 04 11:09:27 EEST 2020

There was an unexpected error (type=Unauthorized, status=401).

Login failed

in the dspace logs:

2020-08-04 11:17:39,880 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!

2020-08-04 11:17:39,880 ERROR org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute givenName is empty!

2020-08-04 11:17:39,881 DEBUG org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty!

2020-08-04 11:17:39,899 ERROR org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.

  NetId Header: 'null'='null' (Optional) 

  Email Header: 'mail'='null' 

  First Name Header: 'givenName'='null' 

  Last Name Header: 'sn'='null'

But in the shibboleth  I have the email:

2020-08-04 11:09:26|Shibboleth-TRANSACTION.Login|te...@example.com|_37a933a02565057512061ad02ccb9e0e|https://ixxxxxxxxx/idp/shibboleth|_5b973d9e7099c43c1bb1b6e7c3a6470c|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2020-08-04T10:41:45|mail|AAdzZWNyZXQxs+3UzwKOWff08rnbNGeh+Uh53kS61N8OJl+1zy7rkVEaQl9ILTZMGGa+ia7FwPUrRaniiKcC/10X+WBWVkhUGkOf5HNbpwS3nQ2C8B7e5+AXFMH6gpgeI=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0|zzzzz

The Apache configuration it is:

 UseCanonicalName On

    <Location /server/api/authn/shibboleth>

        Require all granted

        AuthType shibboleth

        ShibUseHeaders On

        ShibUseEnvironment On

        Require shibboleth

    </Location>

    <Location /server/api/authn/login>

        Require all granted

        AuthType shibboleth

        ShibUseHeaders On

        ShibUseEnvironment On

        Require shibboleth

    </Location>

    <Proxy *>

        AddDefaultCharset Off

        Require all granted

        #Order deny,allow

        #Allow from all

    </Proxy>

    SSLProxyEngine on

    ProxyIOBufferSize 65536

    ProxyRequests off

    ProxyPreserveHost On

    ProxyPass /Shibboleth.sso !

    # A specific proxypass configuration for DSpace server (both server and angular on the same machine)

    ProxyPass /server ajp://localhost:8009/server

    ProxyPassReverse /server ajp://localhost:8009/server

    # A specific proxypass configuration for Angular

    ProxyPass / http://localhost:4000/

    ProxyPassReverse / http://localhost:4000/

[Tim Donohue]

Just a guess, but have you filled out the settings in your "authentication-shibboleth.cfg" file? https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg

DSpace needs to know which authentication header(s) are available in your Shibboleth in order to authenticate.  So, usually you'd need to tell DSpace either the "netid-header", "email-header", or fallback to using Tomcat's remove user.  See this section:
https://github.com/DSpace/DSpace/blob/main/dspace/config/modules/authentication-shibboleth.cfg#L49-L95

This is the same Shibboleth configuration that DSpace used in DSpace v6, so you can also reference those docs for more info: https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

Once DSpace 7 is getting closer to production-ready, we'll have a better guide specific to DSpace 7 obviously.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Ciprian Pinzaru <ciprian...@gmail.com>
Sent: Tuesday, August 4, 2020 3:38 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Dspace 7 shibboleth error

 

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/584046a6-db4c-4dd3-8df1-85d59d17108fo%40googlegroups.com.

[Ciprian Pinzaru]

Dear Tim,

I have the configuration:

authentication-shibboleth.lazysession = true

authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login

authentication-shibboleth.lazysession.secure = true



authentication-shibboleth.email-header = mail
authentication-shibboleth.email-use-tomcat-remote-user = false

authentication-shibboleth.autoregister = true

authentication-shibboleth.sword.compatibility = false



authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn


authentication-shibboleth.eperson.metadata.autocreate = true

authentication-shibboleth.reconvert.attributes = false


default-roles = internal
role.internal = ETDR_AUTO

authentication-shibboleth.role-header = SHIB-SCOPED-AFFILIATION

authentication-shibboleth.role-header.ignore-scope = true

Ciprian

[Tim Donohue]

Based on your configuration, you may want to look closely at the dspace.log to see what the "INFO" messages say just before you hit errors. You *might* see something like:

"Unable to identify EPerson based upon Shibboleth email header: mail" 

If you see that message, then this setting is *incorrect* for your Shibboleth installation:

authentication-shibboleth.email-header = mail

If that's the case, you'll need to see what the correct setting for this "email-header" is for your Shibboleth, or possibly choose to switch to using the "netid-header" setting instead (if that's easier to use based on your Shibboleth setup). Every Shibboleth setup is slightly different, so unfortunately I cannot tell you what the correct configuration is for your setup.

In general, you may want to read through the Shibboleth configuration options listed here: https://wiki.lyrasis.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-DSpaceShibbolethConfigurationOptions   Then, decide which should work best for your Shibboleth setup.

Tim

---

From: Ciprian Pinzaru <ciprian...@gmail.com>
Sent: Tuesday, August 4, 2020 9:51 AM
To: Tim Donohue <tim.d...@lyrasis.org>; DSpace Technical Support <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] Dspace 7 shibboleth error

 

[Ciprian Pinzaru]

I find an message like:

INFO  org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4

2020-08-04 18:12:57,053 INFO  org.springframework.security.web.DefaultSecurityFilterChain @ Creating filter chain: Ant [pattern='/api/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@43d7f719, org.springframework.security.web.context.SecurityContextPersistenceFilter@e5c20f0, org.springframework.security.web.header.HeaderWriterFilter@148a6d4b, org.springframework.web.filter.CorsFilter@8eb6f8d, org.dspace.app.rest.security.StatelessAuthenticationFilter@1bd3eb22, org.dspace.app.rest.security.StatelessLoginFilter@44823e3, org.dspace.app.rest.security.ShibbolethAuthenticationFilter@785b634c, org.springframework.security.web.authentication.logout.LogoutFilter@1f754887, org.dspace.app.rest.security.AnonymousAdditionalAuthorizationFilter@2b9feccd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1ab55f03, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@60b02a97, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2f918867, org.springframework.security.web.session.SessionManagementFilter@3fa4fdb9, org.springframework.security.web.access.ExceptionTranslationFilter@5effff08, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@647f6f74]

2020-08-04 18:14:33,306 DEBUG org.dspace.app.rest.security.ShibbolethAuthenticationFilter @ Request is to process authentication

but not your message.

[Tim Donohue]

Have you double checked in your Shibboleth setup that your "email-header" is named "mail"?

I still think this setting looks odd to me:

authentication-shibboleth.email-header = mail

It is completely possible that I'm wrong.  But, almost every error message (and info message) you've passed along references a "null" or "empty" value for "mail" (or email).  That implies to me that this setting may not be correct for your Shibboleth setup.

All that said, I have to admit here, I'm hitting up against the limits of my Shibboleth knowledge.  I'm *not* a Shibboleth expert, but can only advise you on which configurations might not be working as expected.  In this scenario, it seems likely to me that your "email-header" setting is incorrect...but, I don't know what it should be changed to (you may need to talk to your Shibboleth administrator). 

I wish I had better advice, but maybe someone else on this list might have an idea of what is going on.  This doesn't seem like a DSpace 7 specific issue to me, but more like a possible misconfiguration of the DSpace Shibboleth settings.

Tim

---

From: Ciprian Pinzaru <ciprian...@gmail.com>
Sent: Tuesday, August 4, 2020 10:38 AM

[darryl....@usask.ca]

Ciprian, did you manage to sort this out?  I'm running into the same situation.  DSpace logs show:

2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute uid is empty!
2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!
2021-10-01 12:01:34,276 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.
2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute uid is empty!
2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute mail is empty!
2021-10-01 12:01:34,276 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute nickname is empty!
2021-10-01 12:01:34,277 DEBUG unknown unknown org.dspace.authenticate.ShibAuthentication @ ShibAuthentication - attribute sn is empty!
2021-10-01 12:01:34,283 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.
NetId Header: 'uid'='null' (Optional)

Email Header: 'mail'='null'

First Name Header: 'nickname'='null'

Last Name Header: 'sn'='null'

but /Shibboleth.sso/Session does indeed show that SHib auth was successful and that the attributes returned match my local.cfg values.   Nothing else in the logs really stands out as an issue. It seems to me that DSpace isn't getting the Shib attributes.  I've tried with ShibHeaders on and off; I have the AJP stuff setup correctly (I think).

I'm curious if and how you managed to get this to work

Thanks!

Darryl Friesen, BSc
Programmer/Analyst

University of Saskatchewan
ICT / University Library

[throwaway 8768629769]

Darryl did you find a solution? I just ran into the same issue.

Kind regards,
Mirko Grothe

[Steli Vali]

Hi guys,

I had similar problems.

You need to see what you will receive from Shibboleth Provider via Headers (in /shibboleth/attribute-map.xml) There should be something like uid, mail, givenname etc)

Then in [dspace]/config/modules/authentication-shiboleth, instead of SHIB_NETID, SHIB_MAIL, SHIB_GIVENNAME etc , put the values from attribute-map.xml ^

Hope that will help. I was spending an entire week trying to figure it >))

Kind regards,

Stelica Valianos

[throwaway 8768629769]

Hi Stelica,

I had already figured this out with help from the dspace slack channel, but I appreciate you taking the time to let us know about the solution. I have added the necessary step to the documentation, so that others hopefully don't have to spend as much time on this as we did.

https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-Sampleattribute-map.xmlConfiguration(forsamltest.id)

Kind regards,

Mirko Grothe