Hi all! I'm looking to enable shibboleth auth for a fresh install of Dspace
8.0, I'm planning for now to do some testing with IDP from University in
localhost with no SSL for now but for some configuration i set in(or
misconfiguration more likely) when i try to log in can't get it to work.
I appreciate all the help I can get.
[image: Screenshot from 2025-03-19 19-50-12.png]
I have backend and UI on the same machine and I do have mod_proxy and
mod_proxy_ajp installed and enabled.
In shib.log:
ERROR OpenSAML.MessageDecoder.SAML2POST [646] [default]: POST targeted at
(http://localhost/Shibboleth.sso/SAML2/POST), but delivered to
(http://127.0.1.1/Shibboleth.sso/SAML2/POST)
I also attached shib.xml file and apache sites-enabled.conf
--
All messages to this mailing list should adhere to the Code of Conduct:
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/dspace-tech/e5c2d287-54cd-43c8-9d43-6e20980b7a86n%40googlegroups.com.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# PLEASE NOTE: We have omitted many Apache settings (ServerName, LogLevel,
SSLCertificateFile, etc)
# which you may need/want to add to your VirtualHost
# As long as Shibboleth module is installed, enable all Shibboleth/mod_shib
related settings
<IfModule mod_shib>
# Shibboleth recommends turning on UseCanonicalName
# See "Prepping Apache" in
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
UseCanonicalName On
# Most DSpace instances will want to use Shibboleth "Lazy Session",
which ensures that users
# can access DSpace without first authenticating via Shibboleth.
# This section turns on Shibboleth "Lazy Session". Also ensures that
once they have authenticated
# (by accessing /Shibboleth.sso/Login path), then their Shib session is
kept alive
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
# If your "shibboleth2.xml" file specifies an <ApplicationOverride>
setting for your
# DSpace Service Provider, then you may need to tell Apache which "id"
to redirect Shib requests to.
# Just uncomment this and change the value "my-dspace-id" to the
associated @id attribute value.
#ShibRequestSetting applicationId my-dspace-id
</Location>
# If a user attempts to access the DSpace shibboleth endpoint, force
them to authenticate via Shib.
<Location "/server/api/authn/shibboleth">
Order deny,allow
Allow from all
AuthType shibboleth
ShibRequireSession On
# Please note that setting ShibUseHeaders to "On" is a potential
security risk.
# You may wish to set it to "Off". See the mod_shib docs for details
about this setting:
#
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
# Here's a good guide to configuring Apache + Tomcat when this setting
is "Off":
#
https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
ShibUseHeaders On
Require shibboleth
</Location>
# If a user attempts to access the DSpace login endpoint, ensure
Shibboleth is supported but other auth methods can be too.
<Location "/server/api/authn/login">
Order deny,allow
Allow from all
AuthType shibboleth
# For DSpace, this is required to be off otherwise the available auth
methods will be not visible
ShibRequireSession Off
# Please note that setting ShibUseHeaders to "On" is a potential
security risk.
# You may wish to set it to "Off". See the mod_shib docs for details
about this setting:
#
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions
# Here's a good guide to configuring Apache + Tomcat when this
setting is "Off":
#
https://www.switch.ch/de/aai/support/serviceproviders/sp-access-rules.html#javaapplications
ShibUseHeaders On
</Location>
# Ensure /Shibboleth.sso path (in Apache) can be accessed
# By default it may be inaccessible if your Apache security is tight.
<Location "/Shibboleth.sso">
Order deny,allow
Allow from all
# Also ensure Shibboleth/mod_shib responds to this path
SetHandler shib
</Location>
# Finally, you may need to ensure requests to /Shibboleth.sso are NOT
redirected
# to Tomcat (as they need to be handled by mod_shib instead).
# NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING mod_proxy TO
REDIRECT
# ALL REQUESTS TO TOMCAT (e.g. ProxyPass /server
ajp://localhost:8009/server)
ProxyPass /Shibboleth.sso !
</IfModule>
# You will likely need Proxy settings to ensure Apache is proxying requests
to Tomcat for the DSpace REST API
# The below is just an example of proxying for REST API only. It requires
installing & enabling "mod_proxy" and "mod_proxy_ajp"
## Proxy / Forwarding Settings ##
<Proxy *>
AddDefaultCharset Off
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost On
# Proxy all requests to /server to Tomcat via AJP
ProxyPass /server http://localhost:8080/server
ProxyPassReverse /server http://localhost:8080/server
# Optionally, also proxy Angular UI (if on same server). This requires
"mod_proxy_http"
ProxyPass / http://localhost:4000/
ProxyPassReverse / http://localhost:4000/
</VirtualHost>
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="http://localhost/Shibboleth.sso/Metadata";
REMOTE_USER="eppn"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
and should be a relative path, with the SP computing the full value based on the virtual
host. Use of TLS is now assumed because browsers are enforcing it due to SameSite
restrictions. Note that while we default checkAddress to "false", this makes an assertion
stolen in transit easier for attackers to misuse.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http"
redirectLimit="none">
<!--S
Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://metadata.prov.sp/realms";>
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Administrative logout. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add your own attributes with values that can be plugged into the
templates, e.g., helpLocation below.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" validate="true"
url="https://metadata.prov.sp/realms/foo/protocol/saml/descriptor";
backingFilePath="/etc/shibboleth/metadata.prov.sp.xml" maxRefreshDelay="7200">
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-->
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" validate="true"
url="http://federation.org/federation-metadata.xml";
backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
<DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category";
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"; />
</MetadataProvider>
-->
<!-- Example of remotely supplied "on-demand" signed metadata. -->
<!--
<MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
baseUrl="http://mdq.federation.org"; ignoreTransport="true">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="mdqsigner.pem" />
</MetadataProvider>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="sp-key.pem" certificate="sp-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
