Erratic behavior when attempting Shibboleth SSO login

[Alexander Ivanov]

Dear Dataverse community,

At QDR, we are currently attempting an integration between Dataverse and a Shibboleth IdP.  In a previous thread I had recounted our efforts to integrate with a simpleSamlPHP IdP, but we've gone in a different direction and we now have a newly-configured Shibboleth IdP.

At this point it seems that we have the IdP and the SP configured correctly.  All the necessary attributes are passed from the IdP to the SP.  Upon first login using the Institutional Login dropdown, when the user enters valid credentials for the IdP he is re-directed back to Dataverse.  The user sees the expected page for a new SSO user, which asks the user to confirm account information provided by the IdP to create the Dataverse account, and accept the terms of use.  However, after accepting the terms and clicking Create Account, the user is re-directed back to the Dataverse login page and is not logged in.  Upon a second attempt to login via SSO, when the user is re-directed back to Dataverse (path: dataverse/root) a "403 Forbidden" message is shown and the user is still not logged in.  Upon a third attempt to login via SSO, the user is finally logged in when re-directed back to Dataverse.  If the user logs out of Dataverse, it seems that logging back in via SSO does not work regardless of the number of attempts.  The user is either re-directed to the Dataverse login page or to the 403 Forbidden page, and is not logged in.  I see the following message in the log file:

[2016-10-11T23:28:14.291-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.providers.shib.ShibServiceBean] [tid: _ThreadID=48 _ThreadName=jk-connector(1)] [timeMillis: 1476242894291] [levelValue: 800] [[
  javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name]]

Please let me know if you have any ideas on how to resolve this.  Could it be a configuration issue?  I've attached our shibboleth2.xml config file.  I can provide additional logs/config files if it would help.

Thanks in advance for your help.

Regards,

Alex

[Philip Durbin]

This is going to sound dumb, but for starters, could you try stopping and starting Apache and Glassfish to see if that helps? The behavior you're describing is very strange.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/add802ec-785b-47df-bac5-363937b0db90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alexander Ivanov]

Hi Phil,

Yes, I agree the behavior is very strange.  I just restarted Apache, Glassfish, and the Shibboleth service.  I created a new user in our LDAP directory and when I went through the SSO login process with this new user, I was logged in right away.  However, when I attempted to login as a previously created user, I saw the same behavior as before.. I was re-directed back to the dataverse/root path where I saw a Not Authorized message, and the user was not logged in despite the fact that a valid SSO session was created (see attached).  After another attempt, I was successfully logged in. 

I tested SSO logins with 4 different test accounts.  I would say, maybe 50% of the login attempts were successful, while the other 50% resulted in the problem mentioned earlier.  I thought that perhaps it could be related to stale SSO sessions stored in the browser, but the problem occurs when I use Firefox Private mode for testing.

It's a strange issue and I have not yet narrowed down the exact factors that are causing it..  at this point it seems that the logins are succeeding and failing unpredictably

 

On Thu, Oct 13, 2016 at 9:38 PM, Philip Durbin <philip...@harvard.edu> wrote:

This is going to sound dumb, but for starters, could you try stopping and starting Apache and Glassfish to see if that helps? The behavior you're describing is very strange.

On Oct 13, 2016 8:53 PM, "Alexander Ivanov" <al...@calmforce.com> wrote:

Dear Dataverse community,

At QDR, we are currently attempting an integration between Dataverse and a Shibboleth IdP.  In a previous thread I had recounted our efforts to integrate with a simpleSamlPHP IdP, but we've gone in a different direction and we now have a newly-configured Shibboleth IdP.

At this point it seems that we have the IdP and the SP configured correctly.  All the necessary attributes are passed from the IdP to the SP.  Upon first login using the Institutional Login dropdown, when the user enters valid credentials for the IdP he is re-directed back to Dataverse.  The user sees the expected page for a new SSO user, which asks the user to confirm account information provided by the IdP to create the Dataverse account, and accept the terms of use.  However, after accepting the terms and clicking Create Account, the user is re-directed back to the Dataverse login page and is not logged in.  Upon a second attempt to login via SSO, when the user is re-directed back to Dataverse (path: dataverse/root) a "403 Forbidden" message is shown and the user is still not logged in.  Upon a third attempt to login via SSO, the user is finally logged in when re-directed back to Dataverse.  If the user logs out of Dataverse, it seems that logging back in via SSO does not work regardless of the number of attempts.  The user is either re-directed to the Dataverse login page or to the 403 Forbidden page, and is not logged in.  I see the following message in the log file:

[2016-10-11T23:28:14.291-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.providers.shib.ShibServiceBean] [tid: _ThreadID=48 _ThreadName=jk-connector(1)] [timeMillis: 1476242894291] [levelValue: 800] [[
  javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name]]

Please let me know if you have any ideas on how to resolve this.  Could it be a configuration issue?  I've attached our shibboleth2.xml config file.  I can provide additional logs/config files if it would help.

Thanks in advance for your help.

Regards,

Alex

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/add802ec-785b-47df-bac5-363937b0db90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/FJD2QB8xZaQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8EBHadKApW1MBHMs2wBMWPJ7u7ZSZsXL2Lmvwwn5CeSpw%40mail.gmail.com.

[Alexander Ivanov]

Attaching two additional images.  Also, I've restarted the servers and reproduced this unsuccessful login with user atest3- the log files are attached

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

[Philip Durbin]

Huh, I'm getting a 403 when I simply browse to https://dv.stage.qdr.org ("Not Authorized - You are not authorized to view this page. If you believe this is an error, please contact Dataverse Support for assistance.)

Have you published your root dataverse?

Is there an error in server.log when you simply browse to the home page, as above?

Do you see the strange behavior if you create and test with local accounts?

Have you applied the "GRIZZLY-1787" patch mentioned in the Installation Guide?

If none of this helps, can you please send the entire server.log to sup...@dataverse.org?

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAHDVj4DKEMjK4QWrQtA5xhSN9heya3DTU7kiOj_VHgNF1UqA4g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Alexander Ivanov]

Hey Phil,

Indeed, our root Dataverse was not Published.  After I changed it to Published, the problem seems to have gone away!  Right now, the integration seems to be working correctly.

Phil, thank you so much for your help!  Hopefully this is the last of our major problems with the SSO integration.

Thanks again,

Alex

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAHDVj4DKEMjK4QWrQtA5xhSN9heya3DTU7kiOj_VHgNF1UqA4g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

--

You received this message because you are subscribed to a topic in the Google Groups "Dataverse Users Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dataverse-community/FJD2QB8xZaQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8EtSLpA4VGogZK9gF%2BnhiCFOjrv80oYzGP0e%2BZ562WCPQ%40mail.gmail.com.

[Philip Durbin]

Great! Easy fix. :)

I've documented the need to publish the root dataverse at http://guides.dataverse.org/en/4.5.1/installation/config.html#publishing-the-root-dataverse but perhaps the wording could be improved.

To unsubscribe from this group and all its topics, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8EtSLpA4VGogZK9gF%2BnhiCFOjrv80oYzGP0e%2BZ562WCPQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse-community@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAHDVj4CC5hm6TX2EVmBrVjFOV8JYcRYOnmdQ7YvW33rqcp7%2BnA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.