Shibboleth error - org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.

[Snickers]

Hi All,

I am setting up shibboleth authentication and got below error:

eAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /home
2022-08-19 12:47:16,184 INFO  aebd1170-b43b-47f9-b3e4-0990b4b7d105 6cddd761-cb75-418f-8e89-c9a7a99f426e org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [POST /server/api/statistics/viewevents] originated from /home
2022-08-19 12:47:16,193 INFO  aebd1170-b43b-47f9-b3e4-0990b4b7d105 6cddd761-cb75-418f-8e89-c9a7a99f426e org.dspace.usage.LoggerUsageEventListener @ anonymous::view_site:site_id=1d6ea8fd-1ba8-43a8-a12e-ddb97413cfba
2022-08-19 12:47:19,282 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.
2022-08-19 12:47:19,282 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.
  NetId Header: 'uid'='null' (Optional)
  Email Header: 'mail'='null'
  First Name Header: 'givenName'='null'
  Last Name Header: 'surname'='null'
2022-08-19 12:47:19,282 INFO  unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4
2022-08-19 12:47:19,283 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401)
org.springframework.security.authentication.BadCredentialsException: Login failed
        at org.dspace.app.rest.security.EPersonRestAuthenticationProvider.authenticateNewLogin(EPersonRestAuthenticationProvider.java:150) ~[classes/:7.3]

1. Authentication.cfg and Authentication-Shibboleth.cfg are configured - https://groups.google.com/g/dspace-tech/c/qRoprzbNsiE?pli=1

2. Shibboleth.sso/Session shows 5 attributes returned

3. Apache configs:

<Location /secure>
  ShibUseHeaders on
  SetHandler shib
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

<Location />
        AuthType shibboleth
        ShibRequestSetting requireSession false
        Require shibboleth
</Location>
<Location /server/api/authn/shibboleth>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibUseHeaders On
        Require shibboleth
</Location>
<Location /server/api/authn/login>
         AuthType shibboleth
        ShibRequestSetting requireSession false
        ShibUseHeaders On
</Location>
<Location /Shibboleth.sso>
        SetHandler shib
</Location>

I looked at the documentation below and I am pretty sure I did the relevant steps.

https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configurationhttps://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-Sampleattribute-map.xmlConfiguration(forsamltest.id)

Could someone had the similar issues? Any suggestion is welcomed.

Regards,

Bryan

[Tim Donohue]

Hi,

It's difficult for others to debug your Shibboleth setup, as unfortunately many Shibboleth setups can be unique.  However, my first guess is that this may be a configuration issue in your "authentication-shibboleth.cfg" (or local.cfg), as it looks like DSpace is getting "null" for all Shibboleth fields (uid, mail, etc).  

This implies to me that either the connection (provider_url) to Shibboleth is incorrect, or your configurations for "authentication-shibboleth.netid-header" or "authentication-shibboleth.email-header" are incorrect for your Shibboleth system. 

I'd recommend reviewing the setup instructions in the DSpace documentation at https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication   You also might want to consider temporarily​ setting up your DSpace to connect to the test Shibboleth at https://samltest.id/ using the "sample" configs in those docs... as that will provide a good test that your basic Shibboleth settings are correct.  Then, you can switch over to your local institution's Shibboleth (that said, keep in mind your local institution may have different fields for "netid-header" and "mail-header", etc.  So, you may need to work with local Shibboleth experts at your institution to find the correct settings to place in your "authentication-shibboleth.cfg".  Sometimes it takes some trial and error to determine which settings work properly for your Shibboleth.

Good luck and let us know on this list if you need more specific help.  It's always possible that someone else on here may have a similar Shibboleth setup to you and can provide more specific advice.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Snickers <crims...@gmail.com>
Sent: Thursday, August 18, 2022 10:11 PM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Shibboleth error - org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.

 

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/90df36ff-c77e-4163-818d-222075994b71n%40googlegroups.com.

[Snickers]

Hi Tim,

Thank you for your answer and for providing the details. I have been going through the docs and samltest but no luck.

I am sure that the shibboleth is setup correctly as I can see the metadata values from "/Shibboleth.sso/Session". Also the authentication-shibboleth.cfg files have the same attribute names that I can see from attribute-map.xml file.

I assume that it could be something from Apache configuration that the values are not being passed to Dspace. I followed the documentation e.g. <Location /server/api/authn> or UseShibheaders etc. But not sure since it matches with the configuration for other systems or the examples from the doc.

One thing possibly matters is that I have frontend and backed services running on the same dev server. I mainly look at the backend configuration but I also tried the frontend configuration to have the same settings.

Regards,

Bryan

[Snickers]

Hi Tim,

Solved the issue.

The cause was using mod_proxy. Found an article that you need to use AJP for Shibboleth authentication. After switching it to AJP connector, it works. It would help anyone who might have the same issue if this is mentioned in the installation documentation.

Regards,

Bryan

[Humberto Blanco Castillo]

hi @snickers, 
do you have these article? i have some issue width oidc and i believe that this is the response.