Shibboleth - "Shib-Identity-Provider" was null

[Virgile Jarrige]

Hello again,

We can go through the whole process of Shibboleth identification, but we're back from our Authentification system (CAS 6) we only see "Account information" with... no information. ^^

Shibboleth.sso/Metadata is populated, but payara logs doesn't look so good:

[2020-10-01T15:04:50.286+0200] [Payara 5.2020] [INFO] [] [edu.harvard.iq.dataverse.Shib] [tid: _ThreadID=92 _ThreadName=http-thread-pool::jk-connector(5)] [timeMillis: 1601557490286] [levelValue: 800] [[
The SAML assertion for "Shib-Identity-Provider" was null. Please contact support.]]  

If I understood right, "Shib-Identity-Provider" is an environment attribute. Any idea why it can't read its value?

Take care,

Virgile

[Philip Durbin]

Hi Virgile,

After logging in, how does https://dataverse.example.edu/Shibboleth.sso/Session (using your hostname) look? It's supposed to look something like this:

```

Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 75.69.182.6
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://samltest.id/saml/idp
Authentication Time: 2019-11-28T01:23:28.381Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
displayName: Rick Sanchez
eppn: rsan...@samltest.id
givenName: Rick
mail: rsan...@samltest.id
sn: Sanchez
telephoneNumber: +1-555-555-5515
uid: rick

```

That example is from http://guides.dataverse.org/en/5.0/installation/shibboleth.html#exchange-metadata-with-your-identity-provider

If you don't see attributes like eppn, that's bad. Sometimes this is because the attributePrefix="AJP_" is missing from your shibboleth2.xml file. For more on this see http://guides.dataverse.org/en/5.0/installation/shibboleth.html#shibboleth2-xml

Recently someone solved the problem with a fix I've never seen before:

"The problem was that, once identified through shibboleth on the proxy the http headers were sent as they are supposed to. But, Glassfish doesn't read those headers and reads environment variables. The guy in charge of apache used a directive on the apache server (I don't remember which one he told me) that allows the http headers to be passed as environment variables. This way, it works fine as glassfish reads them correctly!"

That was from https://groups.google.com/g/dataverse-community/c/lQDNyeItfr0/m/hOjElLlKAgAJ

I hope this helps,

Phil

p.s. I've noticed you're in https://chat.dataverse.org sometimes. Don and I talk about Shibboleth a lot there and either one of us can probably help you troubleshoot, during business hours. :)

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/0fb8b05b-8160-4622-8f0c-d878a1710942n%40googlegroups.com.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Virgile Jarrige]

Hi Phil,

Thank you for your detailed answer!

/Shibboleth.sso/Session  is correctly populated (I think!):

-------------------

Miscellaneous Session Expiration (barring inactivity): 478 minute(s)
Client Address: xxx.xxx.203.206

SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol

Identity Provider: https://idp-preprod.xxxxxxx.xxx/idp/shibboleth
Authentication Time: 2020-10-02T07:48:03.448Z

Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes

affiliation: mem...@unistra.fr;empl...@unistra.fr
email: virgile...@unistra.fr
entitlement: urn:mace:terena.org:tcs:personal-user
eppn: virgile...@unistra.fr
givenName: Virgile
persistent-id: https://idp-preprod.xxxxxx.xxx/idp/shibboleth!https://xxxxxxxxx.unistra.fr!emwU2i4v6CktMOtMDhaf4HQhCv8=
sn: Jarrige  

------------------

We're also using an apache proxy server for shibboleth, so I guess it's the same issue. Thank you for pointing on that thread, I will see our "Shibboleth expert" if he can sort this out.

Thank you again for your answer and I will try my chance sometimes on the chat even thou your beginning of the day is my ending of the day. ;-)

Take care,

Virgile

[konstantinos alexandris]

Hello, do you have any update on this? I have the exact same issue. My /Session returns all attributes correctly but I get "The SAML assertion for "Shib-Identity-Provider" was null. Please contact support." , resulting to an empty account page in dataverse (no authenticated user created in DV). 

[Virgile Jarrige]

Hi,

For now I'm trying to figure out two things
- How to transform an environment attribute into header 

I think it's "Header set Shib-Identity-Provider ${Shib-Identity-Provider}" to be put in virtual host, but I need confirmation
- What security issues it implies. 
When I asked our infrastructure department if we could put that in place ; the answer was that this was probably going to be a security issue. And according to https://wiki.shibboleth.net/confluence/display/SP3/AttributeAccess it is "dangerous and difficult to secure."

:-(

If anyone has more infos on these, it would be awesome to share! :-)

Take care,

Virgile

[konstantinos alexandris]

I messed a little with the Shib.java class in dataverse. It seems that none of the attributes are passing on Glassfish request object. 

This means that if you manage to fill the missing Shib-Identity-Provider attribute, the same issue will appear for cn, givenMail, mail etc, attributes of the /Shibboleth.sso/Session list. 

I tried to enable the directive below in httpd.conf, but also did nothing (according to the documentation of shibboleth SP set up).

<Location /Shibboleth.sso> SetHandler shib </Location> 

[konstantinos alexandris]

Resolved. I had enabled also SSL in my Apache. So I had to make the change below in ssl.conf in order see the attributes in my Dataverse. I hope that this will solve your problem as well. Best Regards.

<Location /shib.xhtml>

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  require valid-user

</Location>

[Virgile Jarrige]

Hello,

Thank you for your message.

Unfortunately we already have this in our ssl.conf, and it's not working.

I've tried to reach Thierry Louge from the thread Philipp mentionned for this story of directive that allows the http headers to be passed as environment variables, with no luck so far.

Still stuck..

Take care,

Virgile

[konstantinos alexandris]

Please have in mind, that if you have another .conf file that overrides the ssl.conf, this Location directive will never be enabled. 

However, I still believe that also your problem is a configuration one. Do not forget after every change in your confs to restart your httpd service. 

 Kostis

[Philip Durbin]

Hi Virgile,

Your "Session" looks good. Any news on the attributePrefix="AJP_" I mentioned earlier?

You should also make sure important attributes aren't commented out in attribute-map.xml. More on that at http://guides.dataverse.org/en/5.0/installation/shibboleth.html#attribute-map-xml

SELinux can cause problems too. (Now, I'm just reading other stuff on that page.) :)

For the record, Dataverse uses attributes (the more secure way) rather than headers. You can read about the details at https://github.com/IQSS/dataverse/issues/2294

I forget if I asked already if you've emailed sup...@dataverse.org. If not, please got ahead because we can always summarize for the list later. There's also https://chat.dataverse.org if you want to pop in.

Thanks,

Phil

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/4b7e9b38-9678-48fb-81f3-cd65fc882038n%40googlegroups.com.

[Virgile Jarrige]

Good news! Shibboleth is working! 

There were actually 2 problems:

As we use a mutualised shibboleth server, we had to add the _AJP attribute as an override.

This generated an error message : Problem with Identity Provider - The SAML assertion for "mail" was null. Please contact support.

By renaming "email" to "mail" ----> it's working!

Many thanks to all of you for your help!

Take care,

​​Virgile

[Tanay Karve]

Hello all, hope you are doing well.
I am facing the same issue.

Can you please elaborate on what you meant by " _AJP attribute as an override."?

I already have attributePrefix="AJP_" in my <ApplicationDefaults> tag.