Dataverse, Shibbloeth and Apache proxy
82 views
Skip to first unread message
Thierry Louge
May 29, 2020, 9:58:52 AM5/29/20
to Dataverse Users Community
Hi all!
We've been using Dataverse for some months now, and would like to provide this service to our users (we run a computing centre).
We plan to use Shibboleth for authenticating users. So far, so good we made tests with shibboleth and Dataverse on the same machine and it works like a charm.
Now, we run several services apart from Dataverse and we'd like to authentify users once and for all.
Dataverse is served in a machine that is behind an apache proxy.
This apache reverse-proxy runs shibboleth and authentifies users. This works. When the users goes to the Dataverse that runs on another machine, the parameters of the authenfication are not accessible for Dataverse.
The glassfish server error is the following:
[2020-05-29T14:19:12.438+0200] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.Shib] [tid: _ThreadID=28 _ThreadName=http-listener-1(3)] [timeMillis: 1590754752438] [levelValue: 800] [[
The SAML assertion for "Shib-Identity-Provider" was null. Please contact support.]]
The SAML assertion for "Shib-Identity-Provider" was null. Please contact support.]]
What we don't figure out at the moment, is that if we launch a php page on the machine hosting Dataverse and we gather those parameters (the "Shib-Identiyi-Provider" mentioned in the error, for example) we do find them. But for some reason, Dataverse doesn't.
Last thing, we stopped the shibboleth daemon on the machine hosting dataverse before doing those tests.
If anyone figured out how to make an equivalent configuration running, we'd appreciate some help, or any clue on something that could lead us on the way.
Thanks in advance, and cheers!
Philip Durbin
May 29, 2020, 11:37:25 AM5/29/20
to dataverse...@googlegroups.com
I'm glad you're having a least partial success with Dataverse and Shibboleth. :)
I'm a little confused about your set up. How many installations of Dataverse do you have?
For the installation that's giving an error, after you log in do you see attributes at https://demo.dataverse.org/Shibboleth.sso/Session (for your hostname)?
Thanks,
Phil
p.s. If you'd like your installation to be on our map, please feel free to open an issue at https://github.com/IQSS/dataverse-installations/issues :)
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/cd4c4195-f8e3-4c2e-9b0e-373288e6c211%40googlegroups.com.
--
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Thierry Louge
Jun 2, 2020, 9:36:57 AM6/2/20
to Dataverse Users Community
Hi Philip, thanks for your reply.
We managed to solve the problem. As a matter of fact, we use a Dataverse instance inside a lxc container behinda proxy, that is also a lxc container.
The problem was that, once identified through shibboleth on the proxy the http headers were sent as they are supposed to. But, Glassfish doesn't read those headers and reads environment variables. The guy in charge of apache used a directive on the apache server (I don't remember which one he told me) that allows the http headers to be passed as environment variables. This way, it works fine as glassfish reads them correctly!
Le vendredi 29 mai 2020 17:37:25 UTC+2, Philip Durbin a écrit :
I'm glad you're having a least partial success with Dataverse and Shibboleth. :)I'm a little confused about your set up. How many installations of Dataverse do you have?For the installation that's giving an error, after you log in do you see attributes at https://demo.dataverse.org/Shibboleth.sso/Session (for your hostname)?Thanks,Philp.s. If you'd like your installation to be on our map, please feel free to open an issue at https://github.com/IQSS/dataverse-installations/issues :)
On Fri, May 29, 2020 at 9:58 AM Thierry Louge <th....@gmail.com> wrote:
--Hi all!We've been using Dataverse for some months now, and would like to provide this service to our users (we run a computing centre).We plan to use Shibboleth for authenticating users. So far, so good we made tests with shibboleth and Dataverse on the same machine and it works like a charm.Now, we run several services apart from Dataverse and we'd like to authentify users once and for all.Dataverse is served in a machine that is behind an apache proxy.This apache reverse-proxy runs shibboleth and authentifies users. This works. When the users goes to the Dataverse that runs on another machine, the parameters of the authenfication are not accessible for Dataverse.The glassfish server error is the following:[2020-05-29T14:19:12.438+0200] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.Shib] [tid: _ThreadID=28 _ThreadName=http-listener-1(3)] [timeMillis: 1590754752438] [levelValue: 800] [[
The SAML assertion for "Shib-Identity-Provider" was null. Please contact support.]]What we don't figure out at the moment, is that if we launch a php page on the machine hosting Dataverse and we gather those parameters (the "Shib-Identiyi-Provider" mentioned in the error, for example) we do find them. But for some reason, Dataverse doesn't.Last thing, we stopped the shibboleth daemon on the machine hosting dataverse before doing those tests.If anyone figured out how to make an equivalent configuration running, we'd appreciate some help, or any clue on something that could lead us on the way.Thanks in advance, and cheers!
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/cd4c4195-f8e3-4c2e-9b0e-373288e6c211%40googlegroups.com.
Philip Durbin
Jun 2, 2020, 10:19:45 AM6/2/20
to dataverse...@googlegroups.com
Great news! I'm glad you got it working. Yeah, we require the use of environment variables rather than headers for security reasons. For details, please see https://github.com/IQSS/dataverse/issues/2294
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/cd4c4195-f8e3-4c2e-9b0e-373288e6c211%40googlegroups.com.
--Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5b2d997f-6c6c-4f4f-874c-acad8448fd6d%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages