EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07135
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Shibboleth and local login
- To: eprints-tech@ecs.soton.ac.uk
- Subject: Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Wed, 07 Feb 2018 14:33:37 +0000
Hi Yuri, The instructions I wrote at https://wiki.eprints.org/w/Shibboleth have a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/ that uses the following line in the get_login_url sub: my $url = URI->new( $session->config( "https_url" ) . "/shibboleth/login" ); This is the equivalent to what you have suggested below. Also these instructions explain that you need to add the following to your archive's ssl/securevhost.conf after the Include line for EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for your archive name below: Alias /shibboleth /opt/eprints3/archives/foo/shibboleth <Location "/shibboleth"> SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader Off Options ExecCGI FollowSymLinks AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> <Location /cgi/shibboleth> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> The second Location block is not absolutely necessary unless you want to deploy the /cgi/shibboleth test script. With this config, I can go to /cgi/users/login on http or https and not be redirected to /shibboleth/login Regards David Newman On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote: > What about: > > To avoid the loop, in auth.pl I've changed this: > > my $url = URI->new( $session->get_repository- > >get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no > shibboleth, so the server keep redirecting over and over > > to: > > my $url = "https://<mysite>/shibboleth/login"; > > because of (from perl_lib/EPrints/Apache/Auth.pm): > > if( $repository->current_url ne > $repository->current_url( path => "cgi", "users/login" ) ) > { > EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login > first" ); > EPrints::Apache::AnApache::header_out( > $r, > "Location", $login_url ); > EPrints::Apache::AnApache::send_http_header( $r ); > return DONE; > } > > This create a loop in authentication because it doesn'nt check for > /shibboleth/login but just for /cgi/users/login. > > Il 07/02/2018 14:48, Yuri ha scritto: > > > > Il 07/02/2018 11:04, David R Newman ha scritto: > > > > > > Hi Yuri, > > > > > > Actually you will find if you click on the the Login link it > > > actually > > > takes you to /cgi/users/home, when you have configured > > > Shibboleth, this > > > will redirect to /shibboleth/login rather than /cgi/users/login. > > > If you create a link directly to /cgi/users/login this will > > > allow you to > > > still use local login. > > No, I tried but it sends me to Shibboleth auth. This is because > > /cgi/users/login is sent to https and thus to shibboleth because / > > in > > https is protected by shibboleth. Just protecting /shibboleth in > > https > > does not work. You can login but you get no user from apache. I > > think it > > has to do with remote_user be passed only when you've a protected > > location, so if you're on /cgi you don't get the user while if > > you're on > > /shibboleth yes. > > > > Can you share your https/eprints config? I'm using Debian stretch > > and > > Eprints 3.3.16 installed from tar.gz > > > > > > > > I go direct to /cgi/users/login all the time > > > for repositories I support where I am not part of the institution > > > itself. > > > > > > The only downside of having a direct login link is you may not be > > > logged into the page you clicked the local login link on. > > > However, I > > > think you can probably do something clever with you template to > > > write > > > the current path into the href for html of this link. > > > On a side issue, I am the most recent person to significantly > > > update > > > the Shibboleth page on wiki.eprints.org. I am aware of a couple > > > of > > > errors. One is will the /shibboleth/login code without user > > > creation. > > The user is created using login-autocreate > > > > > > > > I have been meaning to get round to fixing this. Also, there > > > is an > > > issue with the /shibboleth/login code that does create user > > > accounts > > > because it does not render correctly and misses out a load of > > > empty > > > string definitions in the following line: > > > > > > my ($username, $given, $family, $email) = (undef, '', '', ''); > > Yes, I've this but just cosmetic. Thanks for your help. > > > > > > > > I will endeavour to correct these issues today. > > Thanks! > > > > > > > > Regards > > > > > > David Newman > > > > > > On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote: > > > > > > > > Hi! > > > > > > > > I'm following: https://wiki.eprints.org/w/Webserver_authenticat > > > > ion > > > > > > > > I've found this in : > > > > > > > > if( $repository->current_url ne > > > > $repository->current_url( path => "cgi", "users/login" ) ) > > > > { > > > > EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to > > > > login > > > > first" ); > > > > > > > > EPrints::Apache::AnApache::header_out( $r, > > > > "Location", $login_url ); > > > > EPrints::Apache::AnApache::send_http_header( $r ); > > > > return DONE; > > > > } > > > > > > > > this create a loop in authentication because it doesn'nt check > > > > for > > > > /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm > > > > > > > > My question is also how I can insert a link to a local > > > > authentication > > > > because if I follow a link to /cgi/users/login, I get > > > > redirected to > > > > shibboleth auth. Is it because of the lines above? > > > > > > > > To avoid the loop, in auth.pl I've changed this: > > > > > > > > my $url = URI->new( $session->get_repository->get_conf( > > > > "base_url" ) > > > > . "/shibboleth/login" ); <- base_url is http, no shibboleth, so > > > > the > > > > server keep redirecting over and over > > > > > > > > to: > > > > > > > > my $url = "https://<mysite>/shibboleth/login"; > > > > > > > > So, I think the guide is incomplete or there's something not > > > > clear to > > > > me... > > > > > > > > Il 14/12/2017 09:11, Yuri ha scritto: > > > > > > > > > > Ok, so I've just to add a link to /shibboleth/login in > > > > > /cgi/users/login for people which want to login using > > > > > shibboleth, > > > > > isn't it? > > > > > > > > > > For redirects it is not a problem, but I think > > > > > /cgi/users/login > > > > > already save the loginparams so send you to the wanted page. > > > > > > > > > > > > > > > Il 13/12/2017 11:25, David R Newman ha scritto: > > > > > > > > > > > > Hi Yuri, > > > > > > > > > > > > The actual login page is http://HOSTNAME/cgi/users/login yo > > > > > > u > > > > > > could > > > > > > include this link for people who want to login using local > > > > > > login. > > > > > > However, must the links that require you to login will > > > > > > still > > > > > > always > > > > > > redirect to shibboleth, so you will have to instruct you > > > > > > local > > > > > > uses > > > > > > that they must click on the local login to ensure they are > > > > > > logged > > > > > > in > > > > > > before trying to use any of the logged in user > > > > > > functionality, > > > > > > > > > > > > You might want to do something clever with the login link > > > > > > to > > > > > > ensure the > > > > > > user gets returned to the same page they were on before > > > > > > they > > > > > > realised > > > > > > they need to login. I am not sure how to do this off the > > > > > > top of > > > > > > my > > > > > > head. > > > > > > > > > > > > Regards > > > > > > > > > > > > David Newman > > > > > > > > > > > > On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote: > > > > > > > > > > > > > > Hi! > > > > > > > > > > > > > > reading and implementing this guide: > > > > > > > > > > > > > > https://wiki.eprints.org/w/Shibboleth > > > > > > > > > > > > > > every login is handled by Shibboleth. Is there a way > > > > > > > to let > > > > > > > the > > > > > > > user > > > > > > > choose betsween local and Shibboleth login? > > > > > > > > > > > > > > > > > > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listi > > > > > > > nfo/ep > > > > > > > rints- > > > > > > > tech > > > > > > > *** Archive: http://www.eprints.org/tech.php/ > > > > > > > *** EPrints community wiki: http://wiki.eprints.org/ > > > > > > > *** EPrints developers Forum: http://forum.eprints.org/ > > > > > > *** Options: > > > > > > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec > > > > > > h > > > > > > *** Archive: http://www.eprints.org/tech.php/ > > > > > > *** EPrints community wiki: http://wiki.eprints.org/ > > > > > > *** EPrints developers Forum: http://forum.eprints.org/ > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep > > > > rints- > > > > tech > > > > *** Archive: http://www.eprints.org/tech.php/ > > > > *** EPrints community wiki: http://wiki.eprints.org/ > > > > *** EPrints developers Forum: http://forum.eprints.org/ > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri > > > nts-tech > > > *** Archive: http://www.eprints.org/tech.php/ > > > *** EPrints community wiki: http://wiki.eprints.org/ > > > *** EPrints developers Forum: http://forum.eprints.org/ > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint > > s-tech > > *** Archive: http://www.eprints.org/tech.php/ > > *** EPrints community wiki: http://wiki.eprints.org/ > > *** EPrints developers Forum: http://forum.eprints.org/ > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints- > tech > *** Archive: http://www.eprints.org/tech.php/ > *** EPrints community wiki: http://wiki.eprints.org/ > *** EPrints developers Forum: http://forum.eprints.org/
- References:
- [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- [EP-tech] Shibboleth and local login
- Prev by Date: Re: [EP-tech] Shibboleth and local login
- Next by Date: Re: [EP-tech] Shibboleth and local login
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):