Shibboleth Setup Trouble
154 views
Skip to first unread message
librarysy...@gmail.com
Feb 22, 2018, 5:58:37 PM2/22/18
to DSpace Technical Support
I'm trying to get Shibboleth to work with a new DSpace 6 installation on Centos 7 running Apache 2.4. I have both password and Shibboleth authentication enabled. This gives me the opportunity to hover over the Shibboleth login link. The link shows this URL:
or, with all the placeholders exchanged:
When I click the link, our standard Shibboleth login box appears. I enter credentials and then I get the error message:
"No peer endpoint available to which to send SAML response"
The fellow who maintains the Identity Provider says it logs the AssertionConsumerServiceURL as:
Putting two and two together, it seems the IdP can't contact the SP because it's trying to hit port 8080. Since I have Apache doing reverse proxy, the IdP needs to hit the base URL, but I can't find a way to change it. Here are the relevant lines from the Apache main config:
# Send requests for / to /ourschool-ir
RedirectMatch ^/$ /ourschool-ir
RedirectMatch ^/$ /ourschool-ir
# Redirect http to https
Redirect permanent /ourschool-ir https://rc.library.ourschool.edu/ourschool-ir
Redirect permanent /ourschool-ir https://rc.library.ourschool.edu/ourschool-ir
And from the Apache virtual server config:
<Location />
# Configure Shibboleth for "lazy" authentication
AuthType shibboleth
ShibUseHeaders on
Require shibboleth
AuthType shibboleth
ShibUseHeaders on
Require shibboleth
</Location>
<Location /Shibboleth.sso>
# Suggested by DSpace docs
ProxyPass !
SetHandler shib
ProxyPass !
SetHandler shib
</Location>
ProxyPass /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
ProxyPassReverse /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
ProxyPassReverse /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
</VirtualHost>
Any clues greatly appreciated.
Glenn
Tim Donohue
Feb 23, 2018, 2:30:34 PM2/23/18
to librarysy...@gmail.com, DSpace Technical Support
Hi Glenn,
Not sure I have a solution, but based on the DSpace documentation, configuring Shibboleth for DSpace requires using Apache (with mod_shib) in front of Tomcat: https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
Not sure I have a solution, but based on the DSpace documentation, configuring Shibboleth for DSpace requires using Apache (with mod_shib) in front of Tomcat: https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
Do you have Apache fully working with Tomcat (without Shibboleth)? It sounds like parts of your application are still using port 8080 (which is obviously going to Tomcat, directly, and bypassing Apache) instead of port 80. The first step here seems to be to get DSpace fully running on port 80. We have some notes on doing that in the DSpace installation docs at:
The other thing to check is your [dspace]/config/dspace.cfg configuration file. Specifically, you want to be sure that the "baseURL" in that configuration does NOT include a port number (i.e. it should use port 80). By default, that baseURL uses port 8080 (which would tell DSpace to generate URLs back to itself using port 8080), e.g.
dspace.baseUrl = http://localhost:8080
dspace.baseUrl = http://localhost:8080
So, per your examples, I'd expect your baseURL should be simply "http://rc.library.ourschool.edu".
Here's where that configuration is in your dspace.cfg file: https://github.com/DSpace/DSpace/blob/master/dspace/config/dspace.cfg#L29
Here's where that configuration is in your dspace.cfg file: https://github.com/DSpace/DSpace/blob/master/dspace/config/dspace.cfg#L29
Hopefully that helps some! If you figure it out, let us know...or report back on this list if you have further questions.
Tim
--
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
librarysy...@gmail.com
Feb 26, 2018, 1:21:13 PM2/26/18
to DSpace Technical Support
Tim,
Thanks for your reply. After a lot of head-scratching, we found that the Apache directive, "ProxyPreserveHost On" was necessary to make Shibboleth create the proper target URL for callback. So now the end of our virtual server config file looks like this:
ProxyPreserveHost On
ProxyPass /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
ProxyPassReverse /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
ProxyPassReverse /ourschool-ir http://rc.library.ourschool.edu:8080/ourschool-ir
</VirtualHost>
Reply all
Reply to author
Forward
0 new messages