EPrints Technical Mailing List Archive

Message: #07135

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Shibboleth and local login

Hi Yuri,

The instructions I wrote at  https://wiki.eprints.org/w/Shibboleth have
a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/ that
uses the following line in the get_login_url sub:

my $url = URI->new( $session->config( "https_url" )  .
"/shibboleth/login" );

This is the equivalent to what you have suggested below.

Also these instructions explain that you need to add the following to
your archive's ssl/securevhost.conf after the Include line for
EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for your
archive name below:

Alias /shibboleth /opt/eprints3/archives/foo/shibboleth
<Location "/shibboleth">
  SetHandler perl-script
  PerlHandler ModPerl::Registry
  PerlSendHeader Off
  Options ExecCGI FollowSymLinks

  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

<Location /cgi/shibboleth>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

The second Location block is not absolutely necessary unless you want
to deploy the /cgi/shibboleth test script.

With this config, I can go to /cgi/users/login on http or https and not
be redirected to /shibboleth/login 

Regards

David Newman

On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote:
> What about:
> 
> To avoid the loop, in auth.pl I've changed this:
> 
>       my $url = URI->new( $session->get_repository-
> >get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no
> shibboleth, so the server keep redirecting over and over
> 
>     to:
> 
>        my $url = "https://<mysite>/shibboleth/login";
> 
> because of (from perl_lib/EPrints/Apache/Auth.pm):
> 
>                    if( $repository->current_url ne 
> $repository->current_url( path => "cgi", "users/login" ) )
>                    {
> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login 
> first" );
>                            EPrints::Apache::AnApache::header_out(
> $r, 
> "Location", $login_url );
> EPrints::Apache::AnApache::send_http_header( $r );
>                            return DONE;
>                    }
> 
> This create a loop in authentication because it doesn'nt check for 
> /shibboleth/login but just for /cgi/users/login.
> 
> Il 07/02/2018 14:48, Yuri ha scritto:
> > 
> > Il 07/02/2018 11:04, David R Newman ha scritto:
> > > 
> > > Hi Yuri,
> > > 
> > > Actually you will find if you click on the the Login link it
> > > actually
> > > takes you to /cgi/users/home, when you have configured
> > > Shibboleth, this
> > > will redirect to /shibboleth/login rather than /cgi/users/login.
> > >     If you create a link directly to /cgi/users/login this will
> > > allow you to
> > > still use local login.
> > No, I tried but it sends me to Shibboleth auth. This is because
> > /cgi/users/login is sent to https and thus to shibboleth because /
> > in
> > https is protected by shibboleth. Just protecting /shibboleth in
> > https
> > does not work. You can login but you get no user from apache. I
> > think it
> > has to do with remote_user be passed only when you've a protected
> > location, so if you're on /cgi you don't get the user while if
> > you're on
> > /shibboleth yes.
> > 
> > Can you share your https/eprints config? I'm using Debian stretch
> > and
> > Eprints 3.3.16 installed from tar.gz
> > 
> > > 
> > > I go direct to /cgi/users/login all the time
> > > for repositories I support where I am not part of the institution
> > > itself.
> > > 
> > > The only downside of having a direct login link is you may not be
> > > logged into the page you clicked the local login link on.
> > >  However, I
> > > think you can probably do something clever with you template to
> > > write
> > > the current path into the href for html of this link.
> > > On a side issue, I am the most recent person to significantly
> > > update
> > > the Shibboleth page on wiki.eprints.org.  I am aware of a couple
> > > of
> > > errors.  One is will the /shibboleth/login code without user
> > > creation.
> > The user is created using login-autocreate
> > 
> > > 
> > >    I have been meaning to get round to fixing this.  Also, there
> > > is an
> > > issue with the /shibboleth/login code that does create user
> > > accounts
> > > because it does not render correctly and misses out a load of
> > > empty
> > > string definitions in the following line:
> > > 
> > > my ($username, $given, $family, $email) = (undef, '', '', '');
> > Yes, I've this but just cosmetic. Thanks for your help.
> > 
> > > 
> > > I will endeavour to correct these issues today.
> > Thanks!
> > 
> > > 
> > > Regards
> > > 
> > > David Newman
> > > 
> > > On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
> > > > 
> > > > Hi!
> > > > 
> > > > I'm following: https://wiki.eprints.org/w/Webserver_authenticat
> > > > ion
> > > > 
> > > >     I've found this in :
> > > > 
> > > >                    if( $repository->current_url ne
> > > > $repository->current_url( path => "cgi", "users/login" ) )
> > > >                    {
> > > > EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to
> > > > login
> > > > first" );
> > > >                           
> > > > EPrints::Apache::AnApache::header_out( $r,
> > > > "Location", $login_url );
> > > > EPrints::Apache::AnApache::send_http_header( $r );
> > > >                            return DONE;
> > > >                    }
> > > > 
> > > > this create a loop in authentication because it doesn'nt check
> > > > for
> > > > /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
> > > > 
> > > > My question is also how I can insert a link to a local
> > > > authentication
> > > > because if I follow a link to /cgi/users/login, I get
> > > > redirected to
> > > > shibboleth auth. Is it because of the lines above?
> > > > 
> > > > To avoid the loop, in auth.pl I've changed this:
> > > > 
> > > >       my $url = URI->new( $session->get_repository->get_conf(
> > > > "base_url" )
> > > > . "/shibboleth/login" ); <- base_url is http, no shibboleth, so
> > > > the
> > > > server keep redirecting over and over
> > > > 
> > > >     to:
> > > > 
> > > >        my $url = "https://<mysite>/shibboleth/login";
> > > > 
> > > > So, I think the guide is incomplete or there's something not
> > > > clear to
> > > > me...
> > > > 
> > > > Il 14/12/2017 09:11, Yuri ha scritto:
> > > > > 
> > > > > Ok, so I've just to add a link to /shibboleth/login in
> > > > > /cgi/users/login for people which want to login using
> > > > > shibboleth,
> > > > > isn't it?
> > > > > 
> > > > > For redirects it is not a problem, but I think
> > > > > /cgi/users/login
> > > > > already save the loginparams so send you to the wanted page.
> > > > > 
> > > > > 
> > > > > Il 13/12/2017 11:25, David R Newman ha scritto:
> > > > > > 
> > > > > > Hi Yuri,
> > > > > > 
> > > > > > The actual login page is http://HOSTNAME/cgi/users/login yo
> > > > > > u
> > > > > > could
> > > > > > include this link for people who want to login using local
> > > > > > login.
> > > > > >     However, must the links that require you to login will
> > > > > > still
> > > > > > always
> > > > > > redirect to shibboleth, so you will have to instruct you
> > > > > > local
> > > > > > uses
> > > > > > that they must click on the local login to ensure they are
> > > > > > logged
> > > > > > in
> > > > > > before trying to use any of the logged in user
> > > > > > functionality,
> > > > > > 
> > > > > > You might want to do something clever with the login link
> > > > > > to
> > > > > > ensure the
> > > > > > user gets returned to the same page they were on before
> > > > > > they
> > > > > > realised
> > > > > > they need to login.  I am not sure how to do this off the
> > > > > > top of
> > > > > > my
> > > > > > head.
> > > > > > 
> > > > > > Regards
> > > > > > 
> > > > > > David Newman
> > > > > > 
> > > > > > On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
> > > > > > > 
> > > > > > > Hi!
> > > > > > > 
> > > > > > >      reading and implementing this guide:
> > > > > > > 
> > > > > > > https://wiki.eprints.org/w/Shibboleth
> > > > > > > 
> > > > > > >      every login is handled by Shibboleth. Is there a way
> > > > > > > to let
> > > > > > > the
> > > > > > > user
> > > > > > > choose betsween local and Shibboleth login?
> > > > > > > 
> > > > > > > 
> > > > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listi
> > > > > > > nfo/ep
> > > > > > > rints-
> > > > > > > tech
> > > > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > > > > *** Options:
> > > > > > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec
> > > > > > h
> > > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
> > > > rints-
> > > > tech
> > > > *** Archive: http://www.eprints.org/tech.php/
> > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
> > > nts-tech
> > > *** Archive: http://www.eprints.org/tech.php/
> > > *** EPrints community wiki: http://wiki.eprints.org/
> > > *** EPrints developers Forum: http://forum.eprints.org/
> > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
> > s-tech
> > *** Archive: http://www.eprints.org/tech.php/
> > *** EPrints community wiki: http://wiki.eprints.org/
> > *** EPrints developers Forum: http://forum.eprints.org/
> 
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/