Error when attempting Shibboleth integration

212 views
Skip to first unread message

Alexander Ivanov

unread,
Jul 27, 2016, 1:30:29 PM7/27/16
to Dataverse Users Community

Hey Guys,

We're in the process of configuring SSO to integrate Dataverse with the QDR site.

I'm now attempting to configure Shibboleth as the SP for Dataverse, following this guide:
http://guides.dataverse.org/en/latest/installation/shibboleth.html

I've done everything as instructed in the guide, but when I attempt to verify my Metadata url (path: /Shibboleth.sso/MetaData) I get the following error:

shibsp::ConfigurationException


shibsp::ConfigurationException at (https://dv.stage.qdr.org/Shibboleth.sso/MetaData)

Shibboleth handler invoked at an unconfigured location.


I think that something must not be configured correctly.  I'm hoping there's somebody with experience in Shibboleth who could point me in the right direction.. Please help!


Thanks a lot,
Alex

Philip Durbin

unread,
Jul 27, 2016, 2:03:54 PM7/27/16
to dataverse...@googlegroups.com
Hi! The first thing is that you seem to be running Dataverse 4.3 (v. 4.3 build 23-b39c957) so I'd recommend upgrading to 4.3.1 and then 4.4 which has some bug fixes having to do with Shibboleth.

Now, on to the fix. :)

Rather than "MetaData" you need to use "Metadata" with a small "d" like this:

https://dv.stage.qdr.org/Shibboleth.sso/Metadata

I can't take any credit for this answer. I googled a bit and asked at http://irclog.perlgeek.de/shibboleth/2016-07-27 where "cyberlard" instantly had the answer! Thanks, cyberlard! :)

That's ##shibboleth on freenode: http://shibboleth.net/pipermail/users/2013-February/008097.html

Phil

p.s. I met Nic and Sebastian from QDR at http://projects.iq.harvard.edu/dcm2016 and I'm highly interested in knowing how the integration is going with Drupal as a Shibboleth Identity Provider (IdP). I guess that's more on topic at https://groups.google.com/d/msg/dataverse-community/VjTHzWjP4NU/mPGOObw2BgAJ however, so if you'd like to post a follow message to that other thread (or start a new one) some day I'd appreciate it!

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/6f6a9e60-1a9c-48f0-963f-900bb5df3e1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Alexander Ivanov

unread,
Jul 28, 2016, 12:14:27 PM7/28/16
to Dataverse Users Community, philip...@harvard.edu
Hi Phil,

Thank you for your fast reply.  Indeed, everything was configured correctly for our Shibboleth SP, I had just missed that little detail in the url.

ps. Our SSO implementation is moving along.  I configured the IdP using SimpleSAMLPHP, along with the drupalas module to connect it to our Drupal installation.  Now the SP is configured with Shibboleth, and it's just a matter of connecting them together.  Nic and Sebastian told me that they had met you at the meetup.. it is a shame I couldn't make it!

My Best,
Alex


On Wednesday, July 27, 2016 at 2:03:54 PM UTC-4, Philip Durbin wrote:
Hi! The first thing is that you seem to be running Dataverse 4.3 (v. 4.3 build 23-b39c957) so I'd recommend upgrading to 4.3.1 and then 4.4 which has some bug fixes having to do with Shibboleth.

Now, on to the fix. :)

Rather than "MetaData" you need to use "Metadata" with a small "d" like this:

https://dv.stage.qdr.org/Shibboleth.sso/Metadata

I can't take any credit for this answer. I googled a bit and asked at http://irclog.perlgeek.de/shibboleth/2016-07-27 where "cyberlard" instantly had the answer! Thanks, cyberlard! :)

That's ##shibboleth on freenode: http://shibboleth.net/pipermail/users/2013-February/008097.html

Phil

p.s. I met Nic and Sebastian from QDR at http://projects.iq.harvard.edu/dcm2016 and I'm highly interested in knowing how the integration is going with Drupal as a Shibboleth Identity Provider (IdP). I guess that's more on topic at https://groups.google.com/d/msg/dataverse-community/VjTHzWjP4NU/mPGOObw2BgAJ however, so if you'd like to post a follow message to that other thread (or start a new one) some day I'd appreciate it!
On Wed, Jul 27, 2016 at 1:30 PM, Alexander Ivanov <al...@calmforce.com> wrote:

Hey Guys,

We're in the process of configuring SSO to integrate Dataverse with the QDR site.

I'm now attempting to configure Shibboleth as the SP for Dataverse, following this guide:
http://guides.dataverse.org/en/latest/installation/shibboleth.html

I've done everything as instructed in the guide, but when I attempt to verify my Metadata url (path: /Shibboleth.sso/MetaData) I get the following error:

shibsp::ConfigurationException


shibsp::ConfigurationException at (https://dv.stage.qdr.org/Shibboleth.sso/MetaData)

Shibboleth handler invoked at an unconfigured location.


I think that something must not be configured correctly.  I'm hoping there's somebody with experience in Shibboleth who could point me in the right direction.. Please help!


Thanks a lot,
Alex

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

Alexander Ivanov

unread,
Aug 8, 2016, 7:37:57 PM8/8/16
to Dataverse Users Community, philip...@harvard.edu
Hi guys,

So now I've configured the SP to properly authenticate against the IdP, and I'm in the process of configuring the metadata schema.

I keep getting this error after attempting to log into Dataverse via the IdP (when redirected to /shib.xhtml)
 Problem with Identity Provider The SAML assertion for "eppn" was null. Please contact support.            

When I go to check /Shibboleth.sso/Session I see that I have an active SSO session, and my Drupal attributes are coming through:
Attributes
cn: alex.iv...@gmail.com
mail: alex.iv...@gmail.com
uid: 1

However, my simpleSamlPhp Idp does not have an eppn attribute to send.  I would rather use mail as the unique identifier.  Is it possible to configure Dataverse Shibboleth integration to work without the eppn attribute? 

Alternately, I need to come up with a way to make my IdP to send the mail attribute in such a way that Shibboleth recognizes it as the eppn, but so far I've been unsuccessful.

Your advice will be highly appreciated.  Thanks in advance.

Donald Sizemore II

unread,
Aug 9, 2016, 7:20:24 AM8/9/16
to Dataverse Users Community
Hello =)

Phil's on vacation. While I'm no Phil, I believe at present Dataverse indeed depends on eppn as a unique identifier rather than mail, along with the Research and Scholarly Attribute bundle:
https://spaces.internet2.edu/display/InCFederation/Research+and+Scholarship+Attribute+Bundle

eppn, at least at UNC, appears in the form 'acc...@unc.edu' so if you're able to derive something suitable from the e-mail attribute and send that from SimpleSAMLPHP you might make Dataverse happy?

Donald

danny...@g.harvard.edu

unread,
Aug 9, 2016, 9:07:32 AM8/9/16
to Dataverse Users Community
Thanks Don! 

Alex - I am also no Phil, but let me know if the solution that Don suggests works for you. If not, we can dig deeper on this side. 

Thanks!

- Danny

Alexander Ivanov

unread,
Aug 9, 2016, 1:56:12 PM8/9/16
to Dataverse Users Community
Thanks Don and Danny.

So we have a database full of users who registered for the QDR site with a variety of email addresses, many of which do not end in ".edu".  Therefore, by definition, we do not have an eduPersonPrincipalName for each of our users.  I have to find a way to use their email addresses as their eppns, although they do not conform to the eppn format, if this is even possible

I have configured the Shibboleth attribute-map.xml to accept a custom attribute ( roles ) from our IdP, along with uid, mail, givenName, sn.  The only thing now missing from the minimal subset of the R&S attribute bundle is the eppn.

I have tried, but it seems that I cannot configure a custom attribute named eppn the same way that I can configure new custom attributes, such as roles.  I'll try sending an email to the Shibboleth mailing list to ask if a custom configuration is possible for eppn.  If not, then we either need to modify our Dataverse to skip the SAML assertion for "eppn" ( I have no idea how difficult this would be ) or we just give up on our SimpleSaml IdP (which is connected to our existing Drupal site and Drupal user base) and set up a brand new Shibboleth IdP and make all our users create new accounts..

Alexander Ivanov

unread,
Aug 9, 2016, 3:34:27 PM8/9/16
to Dataverse Users Community
Relevant thread in Shibboleth mailing list:

It seems that I should be able to populate the EPPN attribute with the email address.. I need to try this with my IdP

danny...@g.harvard.edu

unread,
Aug 11, 2016, 9:27:10 AM8/11/16
to Dataverse Users Community
Alex - it sounds like you're not blocked and that you're still experimenting on your side, but let me know if this is incorrect if you need anything from us before next week. I did see Scott's note about requiring a header called EPPN - we can look into that on this side! 

Thanks,

Danny

Alexander Ivanov

unread,
Aug 11, 2016, 1:23:08 PM8/11/16
to Dataverse Users Community
Hi Danny,

Yes, I've been experimenting with how I can make this integration work with our IdP, which is SimpleSamlPhp, with the drupalas module for SimpleSamlPhp connecting to our drupal database.

I'm having trouble setting the "eppn" attribute using our current IdP.  The way that I set all other attributes does not work for "eppn".  At this point, it seems I would have to dig into the inner workings of SimpleSamlPhp and the drupalas module, and possible modify the drupalas module, in order to make this work.

It would certainly be much better if we could configure our Dataverse installation not to require the "eppn" attribute, and use "mail" attribute instead as the unique identifier.  Please let me know if this would be at all possible.  If not, I think we may abandon the SimpleSamlPhp IdP and set up a new Shibboleth IdP, which would require all of our users to re-register for the site

My Best,
Alex

Philip Durbin

unread,
Aug 15, 2016, 10:46:26 AM8/15/16
to dataverse...@googlegroups.com
Hi Alex,

Good research on all this. I've been discussing this at http://irclog.perlgeek.de/shibboleth/2016-08-15 , reading through the Shib users post you mentioned, and poking around at the SimpleSAMLphp docs.

I feel like there are a few configuration directions we could pursue without changing any code in Dataverse or SimpleSAMLphp.

I'm wondering if SimpleSAMLphp uses "NameID" rather than "eppn", which is an attribute I mentioned at https://github.com/IQSS/dataverse/issues/1422

The "authproc" config for SimpleSAMLphp is documented at https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted and there's an example at https://simplesamlphp.org/docs/stable/saml:nameid that says "This example makes three NameIDs available" which includes eduPersonPrincipalName (eppn).

I have some other ideas too* but it might be easier to explore these in real time, such as at http://chat.dataverse.org so if you want to pop in there and make some noise, I'm around all week.

I hope this helps!

Phil

* Some potential attribute-policy.xml hacking to try: https://shibboleth.net/pipermail/users/2013-July/010958.html






To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Alexander Ivanov

unread,
Aug 15, 2016, 7:32:18 PM8/15/16
to Dataverse Users Community, philip...@harvard.edu
Hi Phil,

I finally got this to work!  The eppn assertion error went away after I re-defined eppn as a non-scoped attribute.  I modified attribute-map.xml and removed the AttributeDecoder from the eppn definition.  I also commented out the AttributeRule for eppn in attribute-policy.xml, although this might be unnecessary after the change to attribute-map.

We still need to decide if we are going to use this SSO solution, or set up a Shibboleth IdP.  There are some advantages that a Shibboleth IdP would have over this implementation of SimpleSamlPhp + drupalas module

Thank you for all your help.  We will likely have some additional questions as we proceed with the implementation.  I'm just glad this error is resolved

My Best,
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/6f6a9e60-1a9c-48f0-963f-900bb5df3e1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

Philip Durbin

unread,
Aug 16, 2016, 9:39:11 AM8/16/16
to dataverse...@googlegroups.com
Great news, Alex! I'm thrilled that you got Dataverse to authenticate against a SimpleSAMLphp Identity Provider (IdP). I already followed up on the thread you started on the Shib list: http://shibboleth.1660669.n2.nabble.com/Using-a-custom-attribute-as-the-eppn-td7627431.html . Perhaps the Shib community can further advise you on operating SimpleSAMLphp vs. some other IdP. It's really up to you, of course, and I know very little about how to run an IdP.

At http://guides.dataverse.org/en/4.4/installation/shibboleth.html#attribute-map-xml we provide a sample /etc/shibboleth/attribute-map.xml that we know works with Dataverse. If you could send us the "diff" of your file vs. the sample file, I'd appreciate it. If it's easier to simply create a GitHub issue and upload your working file there, that's fine. :)

Thanks!

Phil

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Alexander Ivanov

unread,
Aug 29, 2016, 6:58:12 PM8/29/16
to Dataverse Users Community, philip...@harvard.edu
Hey Phil,

Sorry for the delay.  I've attached a diff for my modified /etc/shibboleth/attribute-map.xml file.  As I mentioned previously, I also modified the attribute-policy.xml file to remove the AttributeRule for attributeID="eppn".  I'm not certain that this change was also necessary after the change to attribute-map.xml, but since this configuration worked for us I'm including both diffs

Thanks for all your help so far.  Currently we're testing out using Shibboleth as our IdP, as opposed to SimpleSamlPhp.  I will let you know how the integration with Dataverse goes.  Thanks again.

My Best,
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
attribute-map.xml.diff
attribute-policy.xml.diff

Philip Durbin

unread,
Sep 1, 2016, 9:30:50 AM9/1/16
to dataverse...@googlegroups.com
Hi Alex, this is perfect. Thanks! I just wanted to have it captured somewhere what you had to do to get SimpleSAMLphp working with Dataverse. Those diffs really hit the spot. :)

Please do keep us all posted on your authentication adventures!

Phil

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages