Upgrade to 6.7.1: issues with Shibboleth
11 views
Skip to first unread message
Alfredo Cosco
Nov 26, 2025, 9:22:22 AM (4 days ago) Nov 26
to Dataverse Users Community
Hello everyone,
Following a major upgrade where we migrated a Dataverse instance from version 6.3 to 6.7.1, we've encountered an issue with Shibboleth: we can no longer log in.
What's puzzling is that both Shibboleth and Apache are hosted on a separate server acting as a reverse proxy to the Dataverse server, with the AJP connector running on port 8009. Apart from the Dataverse upgrade, the network infrastructure has remained unchanged, and the same reverse proxy continues to work correctly for other instances that also use Shibboleth for authentication.
When attempting to log in via Shibboleth, the web page enters a redirect loop, repeatedly sending the user to the IdP (HTTP 302), instead of returning to the Dataverse page.
We set up the shibboleth logs according to the documentation:
edu.harvard.iq.dataverse.LoginPage <FINE>
edu.harvard.iq.dataverse.Shib <FINE>
edu.harvard.iq.dataverse.authorization.groups.impl.shib <FINE>
edu.harvard.iq.dataverse.authorization <FINE>
edu.harvard.iq.dataverse.authorization.providers.shib <FINE>
Following a major upgrade where we migrated a Dataverse instance from version 6.3 to 6.7.1, we've encountered an issue with Shibboleth: we can no longer log in.
What's puzzling is that both Shibboleth and Apache are hosted on a separate server acting as a reverse proxy to the Dataverse server, with the AJP connector running on port 8009. Apart from the Dataverse upgrade, the network infrastructure has remained unchanged, and the same reverse proxy continues to work correctly for other instances that also use Shibboleth for authentication.
When attempting to log in via Shibboleth, the web page enters a redirect loop, repeatedly sending the user to the IdP (HTTP 302), instead of returning to the Dataverse page.
We set up the shibboleth logs according to the documentation:
edu.harvard.iq.dataverse.LoginPage <FINE>
edu.harvard.iq.dataverse.Shib <FINE>
edu.harvard.iq.dataverse.authorization.groups.impl.shib <FINE>
edu.harvard.iq.dataverse.authorization <FINE>
edu.harvard.iq.dataverse.authorization.providers.shib <FINE>
And the only relevant line that we see is:
[2025-11-26T13:37:17.472+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.LoginPage] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164237472] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.LoginPage] [METHODNAME: setAuthProviderById] [[
Setting auth provider to shib]]
[2025-11-26T13:37:23.873+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164243873] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @USERNAME is null]]
[2025-11-26T13:37:40.142+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=91 _ThreadName=http-thread-pool::jk-connector(2)] [timeMillis: 1764164260142] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @OTHERUSRNAME is null]]
Are there any new configuration settings or changes introduced in this version that we should review?
Thanks,
Alfredo
[2025-11-26T13:37:17.472+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.LoginPage] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164237472] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.LoginPage] [METHODNAME: setAuthProviderById] [[
Setting auth provider to shib]]
[2025-11-26T13:37:23.873+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(3)] [timeMillis: 1764164243873] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @USERNAME is null]]
[2025-11-26T13:37:40.142+0000] [Payara 6.2025.3] [FINE] [] [edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [tid: _ThreadID=91 _ThreadName=http-thread-pool::jk-connector(2)] [timeMillis: 1764164260142] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean] [METHODNAME: findFor] [[
IdP for user @OTHERUSRNAME is null]]
Are there any new configuration settings or changes introduced in this version that we should review?
Thanks,
Alfredo
Reply all
Reply to author
Forward
0 new messages