Shibboleth on DSpace 7.2 won't work for unknown reasons

[Matthias Letsch]

Hello,

for some reason we won't get Shibboleth working.

We have a test IdP and test credentials to log in, but something is still not working. Our colleague from the IDP side says that the communication between the Shib Daemon on our Server and the Shibboleth IdP is working and therefore the tasks from his side are finished for now. But he suspects that Dspace is not communicating properly with shibd and that we have to change some configurations.

As of now I am able get to the Shibboleth login page and to log in with the test credentials and to accept the metadata usage, but then there is a HTTP Status 403 report:

HTTP Status 403 – Forbidden

---

Type Status Report

Description The server understood the request but refuses to authorize it.

---

Apache Tomcat/9.0.31 (Debian)

Has anyone had this problem and knows how to solve it?

Thank you and kind regards
Matthias

[Matti Yrjölä]

Hi,

Do you have the attribute attributePrefix="AJP_" set in your ApplicationDefaults (in shibboleth2.xml)?
I think we had similar problem with that setting as we are using that with older DSpace.
Removing the AJP_ prefix and also adding "ShibUseHeaders On" in 
<Location "/server/api/authn/shibboleth"> and  <Location "/server/api/authn/login"> solved this issue.

There was some discussion in:
https://github.com/DSpace/DSpace/pull/2651#issuecomment-604902452
and
DSpace 7 Shibboleth Configuration - DSpace - LYRASIS Wiki
" The AJP proxy only works (Ben Bosman) if shibboleth2.xml doesn't contain the attribute attributePrefix="AJP_" in the ApplicationDefaults. "

Best regards,
Matti

[Matthias Letsch]

Hallo Matti,

thank you very much!

This has at least resulted in the 403 becoming a 401 and DSpace noticing something about the login attempt, which I consider positive progress.

However, DSpace now complains in the logs that it cannot find the required attributes:

2023-06-29 11:58:35,693 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was not able to find a NetId, Email, or Tomcat Remote user for which to indentify a user from.
2023-06-29 11:58:35,707 ERROR unknown unknown org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson because we are unable to find an email address along with first and last name for the user.
  NetId Header: 'SHIB-NETID'='null' (Optional)
  Email Header: 'SHIB-MAIL'='null'
  First Name Header: 'SHIB-GIVENNAME'='null'
  Last Name Header: 'SHIB-SURNAME'='null'
2023-06-29 11:58:35,709 INFO  unknown unknown org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ anonymous::failed_login:email=null, result=4
2023-06-29 11:58:35,719 ERROR unknown unknown org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed (status:401)
org.springframework.security.authentication.BadCredentialsException: Login failed

So I guess I need to modify the attribute-map.xml accordingly to match the expected attributes under [dspace]/config/modules/authentication-shibboleth.cfg.

The documentation at https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication provides a template for attribute-map with the attributes that seem to match at first glance.

But unfortunately that alone does not change anything for us. Do you possibly know more about this?

Thanks again and best regards

Matthias

[Mark H. Wood]

You need to know the OIDs used by your Shibboleth IDP to label the
attributes that you want. These may vary from site to site.
attribute-map.xml maps them to names SHIB-NETID and the rest. If you
don't give the right OIDs, nothing will be mapped into the request.

You also need to know (or set) the request attributes that DSpace
expects. That's the other side of the mapping.

Here we are using attributePrefix='AJP_' and it works. We do not set
ShibUseHeaders. Tomcat will strip the prefix and pass the attributes
through in the Request. But Tomcat must be configured to accept more
than the default set of attributes: the AJP connector must have
'allowedRequestAttributesPattern='SHIB-.*' to let them through.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

[Matthias Letsch]

Thank you for your reply.

I have the OIDs delivered by the IDP which are the following:

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

urn:oid:2.5.4.42

urn:oid:2.5.4.4

urn:oid:0.9.2342.19200300.100.1.3

urn:oid:2.16.840.1.113730.3.1.241

So this is what I put into attribute-map.xml:

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB-NETID"/>
<Attribute name="urn:oid:2.5.4.42" id="SHIB-GIVENNAME"/>
<Attribute name="urn:oid:2.5.4.4" id="SHIB-SURNAME"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB-MAIL"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>

And this is on the other side in [dspace-backend]/config/modules/authentication-shibboleth.cfg:

authentication-shibboleth.netid-header = SHIB-NETID
authentication-shibboleth.email-header = SHIB-MAIL
(...)
authentication-shibboleth.firstname-header = SHIB-GIVENNAME
authentication-shibboleth.lastname-header = SHIB-SURNAME

If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all arrives at DSpace from the login attempt. (403)
If I delete it, at least there is a 401 "authentication failed" and dspace.log throws the error mentioned above.

I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector in tomcat9/conf/server.xml

The inherited result is still the same. To make matters worse, now this morning after these minimal changes in the Shib XML files and in server.xml, for some reason the following came up when I tried to reload the page:

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Apache/2.4.38 (Debian) Server at ... Port 443

After resetting to the state before these changes the service runs normally again (still without Shibboleth of course).Is it possible that it is somehow due to the module? I don't know exactly, because our DSpace was originally installed by an external company, but I guess that at the moment only mod_proxy is used for the communication between Apache and Tomcat.

Kind regards,
Matthias

[Matthias Letsch]

Hi together,

I solved it. I still had to adjust the apache2/sites-enabled/default-ssl.conf exactly according to the template on the documentation: https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

Now it works.

[Mark H. Wood]

On Fri, Jun 30, 2023 at 01:11:28AM -0700, Matthias Letsch wrote:
> Thank you for your reply.
>
> I have the OIDs delivered by the IDP which are the following:
>
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6
> urn:oid:2.5.4.42
> urn:oid:2.5.4.4
> urn:oid:0.9.2342.19200300.100.1.3
> urn:oid:2.16.840.1.113730.3.1.241
>
> So this is what I put into attribute-map.xml:
>
> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB-NETID"/>
> <Attribute name="urn:oid:2.5.4.42" id="SHIB-GIVENNAME"/>
> <Attribute name="urn:oid:2.5.4.4" id="SHIB-SURNAME"/>
> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB-MAIL"/>
> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
>
> And this is on the other side in
> [dspace-backend]/config/modules/authentication-shibboleth.cfg:
>
> authentication-shibboleth.netid-header = SHIB-NETID
> authentication-shibboleth.email-header = SHIB-MAIL
> (...)
> authentication-shibboleth.firstname-header = SHIB-GIVENNAME
> authentication-shibboleth.lastname-header = SHIB-SURNAME
>
> If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all
> arrives at DSpace from the login attempt. (403)

That should be "AJP_" not "_AJP". See
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html#env

> > 317-274-0749 <(317)%20274-0749>
> > www.ulib.iupui.edu
> >
>
> --
> All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/58f3c054-6e9f-4366-834c-4f6c89adfd15n%40googlegroups.com.

[Matthias Letsch]

Hello Mark, thank You, I know, I just twisted it here. Still, now it works without it but it won't if I have it inserted.

Thank you again for your help and have a great weekend!
Matthias

You received this message because you are subscribed to a topic in the Google Groups "DSpace Technical Support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dspace-tech/jO_-a-9qwtk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ZJ8FIQSJRB---xUu%40IUPUI.Edu.