Shibboleth error

[Joshua Kim]

Hi,

My dev site uses Dspace 7.1 and Shibboleth authentication. I am new to Shibboleth. SP and IP are set up (shibboleth related xml files correctly). It passes the Shibboleth single sign on authentication but on my site, it says "Authentication failed!". Can someone help me out with this?

The DSpace log says

2022-01-31 14:44:41,525 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user $
2022-01-31 14:44:41,531 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson beca
use we are unable to find an email address along with first and last name for the user.
  NetId Header: 'SHIB-NETID'='null' (Optional)
  Email Header: 'SHIB-MAIL'='null'
  First Name Header: 'SHIB-GIVENNAME'='null'
  Last Name Header: 'SHIB-SURNAME'='null'
2022-01-31 14:44:41,533 INFO  unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4
2022-01-31 14:44:41,536 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401)
org.springframework.security.authentication.BadCredentialsException: Login failed

----------------

Joshua Kim

Web Developer, Library IT

Library, Museums and Press

University of Delaware

[Mark H. Wood]

I would carefully check the SP configuration, specifically
'attribute-map.xml'. You need to talk to the people who run the IDP
and find out what labels they used for the user's given name, surname,
email address and unique identifier. These should be mapped to the
request header names that DSpace is expecting: SHIB-GIVENNAME,
SHIB-SURNAME, SHIB-MAIL, and SHIB-NETID using 'Attribute' elements in
'attribute-map.xml'. Different organizations may use different
attribute names to refer to the same user qualities in their IDP
configurations, so you need to map the ones your organization is using.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

[Mohammad S. AlMutairi]

One way of debugging this to see the attributes sent from the IdP is changing the URL after you see the error message your reported  (Authentication failed! ) to https://your-domain/Shibboleth.sso/Session ... With this you will see the attributes themselves but not their values. If you need to see the values too you need to change showAttributeValues from false to true ( See the attached file ). You can find it in the Shibboleth main SP config file (shibboleth2.xml). You don't need to restart the shibboleth service for this change to take affect. This will show you what attributes are being sent by the IdP and according to the DSpace documentation ( DSpace treats the first and last name attributes differently because they (along with email address) are the three pieces of minimal information required to create a new user account.) so if you can see these attributes are being sent from the IdP you can for this debugging session edit [dspace]config/modules/authentication-shibboleth.cfg and change the options you see on the lines below to what you got from the IdP and you should see the new shibboleth user are able to login and his/her profile is created. Try it and once you done do the attributes re-mapping as Mark indicated.

#authentication-shibboleth.netid-header = SHIB-NETID
#authentication-shibboleth.email-header = SHIB-MAIL
authentication-shibboleth.netid-header = uid
authentication-shibboleth.email-header = mail

#authentication-shibboleth.firstname-header = SHIB-GIVENNAME
#authentication-shibboleth.lastname-header = SHIB-SURNAME
authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn

[Joshua Kim]

Mark and Mohammad,

I appreciate you both for pointing that out. The names of the attributes are unmatched. After changing the attribute names, it is working now. Thank you so much.

----------------

Joshua Kim

Web Developer, Library IT

Library, Museums and Press

University of Delaware

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/28a8d8bb-c223-4719-9538-ae7fd84c193fn%40googlegroups.com.

[Joshua Kim]

Hi,

I just found after logging out successfully on my dspace web site (I am using Shibboleth authentication and DSPace 7.1), when I visit the site and click "log in with Shibboleth" button, it lets me in automatically. How can I completely log out? Is there anyway except clearing cookies on my web browser?

----------------

Joshua Kim

Web Developer, Library IT

Library, Museums and Press

University of Delaware

[Mohammad S. AlMutairi]

Hi,

You got logged out locally but not from the IdP. You can try this https://your-dspace/Shibboleth.sso/Logout ... You should direct this question to the team.

Regards,