Upgrade to 6.7.1: issues with Shibboleth
32 views
Skip to first unread message
Alfredo Cosco
Nov 26, 2025, 9:22:22 AMNov 26
to Dataverse Users Community
Hello everyone,
Following a major upgrade where we migrated a Dataverse instance from version 6.3 to 6.7.1, we've encountered an issue with Shibboleth: we can no longer log in.
What's puzzling is that both Shibboleth and Apache are hosted on a separate server acting as a reverse proxy to the Dataverse server, with the AJP connector running on port 8009. Apart from the Dataverse upgrade, the network infrastructure has remained unchanged, and the same reverse proxy continues to work correctly for other instances that also use Shibboleth for authentication.
When attempting to log in via Shibboleth, the web page enters a redirect loop, repeatedly sending the user to the IdP (HTTP 302), instead of returning to the Dataverse page.
We set up the shibboleth logs according to the documentation:
edu.harvard.iq.dataverse.LoginPage <FINE>
edu.harvard.iq.dataverse.Shib <FINE>
edu.harvard.iq.dataverse.authorization.groups.impl.shib <FINE>
edu.harvard.iq.dataverse.authorization <FINE>
edu.harvard.iq.dataverse.authorization.providers.shib <FINE>
Following a major upgrade where we migrated a Dataverse instance from version 6.3 to 6.7.1, we've encountered an issue with Shibboleth: we can no longer log in.
What's puzzling is that both Shibboleth and Apache are hosted on a separate server acting as a reverse proxy to the Dataverse server, with the AJP connector running on port 8009. Apart from the Dataverse upgrade, the network infrastructure has remained unchanged, and the same reverse proxy continues to work correctly for other instances that also use Shibboleth for authentication.
When attempting to log in via Shibboleth, the web page enters a redirect loop, repeatedly sending the user to the IdP (HTTP 302), instead of returning to the Dataverse page.
We set up the shibboleth logs according to the documentation:
edu.harvard.iq.dataverse.LoginPage <FINE>
edu.harvard.iq.dataverse.Shib <FINE>
edu.harvard.iq.dataverse.authorization.groups.impl.shib <FINE>
edu.harvard.iq.dataverse.authorization <FINE>
edu.harvard.iq.dataverse.authorization.providers.shib <FINE>
And the only relevant line that we see is:
[2025-11-26T13:37:17.472+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.LoginPage] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164237472] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.LoginPage] [METHODNAME: setAuthProviderById] [[
Setting auth provider to shib]]
[2025-11-26T13:37:23.873+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164243873] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @USERNAME is null]]
[2025-11-26T13:37:40.142+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=91 _ThreadName=http-thread-pool::jk-connector(2)] [timeMillis: 1764164260142] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @OTHERUSRNAME is null]]
Are there any new configuration settings or changes introduced in this version that we should review?
Thanks,
Alfredo
[2025-11-26T13:37:17.472+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.LoginPage] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164237472] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.LoginPage] [METHODNAME: setAuthProviderById] [[
Setting auth provider to shib]]
[2025-11-26T13:37:23.873+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164243873] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @USERNAME is null]]
[2025-11-26T13:37:40.142+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=91 _ThreadName=http-thread-pool::jk-connector(2)] [timeMillis: 1764164260142] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @OTHERUSRNAME is null]]
Are there any new configuration settings or changes introduced in this version that we should review?
Thanks,
Alfredo
Philip Durbin
Dec 1, 2025, 9:53:12 AMDec 1
to dataverse...@googlegroups.com
Hi Alfredo,
I'm sorry to hear you're having trouble with your upgrade. I can't think of any reason why Shibboleth login has stopped working.
I like to check the "Session" page to make sure it's populated. You can find an example of expected values here: https://guides.dataverse.org/en/6.7.1/installation/shibboleth.html#exchange-metadata-with-your-identity-provider
Since idP is null, I would double-check that you have `attributePrefix="AJP_"` in your config. This is described here: https://guides.dataverse.org/en/6.7.1/installation/shibboleth.html#shibboleth2-xml
I hope this helps,
Phil
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/01e496e4-482f-4d88-9d10-86ee135faca1n%40googlegroups.com.
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Reply all
Reply to author
Forward
0 new messages