EPrints Technical Mailing List Archive

Message: #07132

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Shibboleth and local login

Hi Yuri,

Actually you will find if you click on the the Login link it actually
takes you to /cgi/users/home, when you have configured Shibboleth, this
will redirect to /shibboleth/login rather than /cgi/users/login.  If
you create a link directly to /cgi/users/login this will allow you to
still use local login.  I go direct to /cgi/users/login all the time
for repositories I support where I am not part of the institution
itself.  

The only downside of having a direct login link is you may not be
logged into the page you clicked the local login link on.  However, I
think you can probably do something clever with you template to write
the current path into the href for html of this link.

On a side issue, I am the most recent person to significantly update
the Shibboleth page on wiki.eprints.org.  I am aware of a couple of
errors.  One is will the /shibboleth/login code without user creation.
 I have been meaning to get round to fixing this.  Also, there is an
issue with the /shibboleth/login code that does create user accounts
because it does not render correctly and misses out a load of empty
string definitions in the following line:

my ($username, $given, $family, $email) = (undef, '', '', '');

I will endeavour to correct these issues today.

Regards

David Newman

On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
> Hi!
> 
> I'm following: https://wiki.eprints.org/w/Webserver_authentication
> 
>   I've found this in :
> 
>                  if( $repository->current_url ne 
> $repository->current_url( path => "cgi", "users/login" ) )
>                  {
> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login 
> first" );
>                          EPrints::Apache::AnApache::header_out( $r, 
> "Location", $login_url );
> EPrints::Apache::AnApache::send_http_header( $r );
>                          return DONE;
>                  }
> 
> this create a loop in authentication because it doesn'nt check for 
> /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
> 
> My question is also how I can insert a link to a local
> authentication 
> because if I follow a link to /cgi/users/login, I get redirected to 
> shibboleth auth. Is it because of the lines above?
> 
> To avoid the loop, in auth.pl I've changed this:
> 
>     my $url = URI->new( $session->get_repository->get_conf(
> "base_url" ) 
> . "/shibboleth/login" ); <- base_url is http, no shibboleth, so the 
> server keep redirecting over and over
> 
>   to:
> 
>      my $url = "https://<mysite>/shibboleth/login";
> 
> So, I think the guide is incomplete or there's something not clear to
> me...
> 
> Il 14/12/2017 09:11, Yuri ha scritto:
> > 
> > Ok, so I've just to add a link to /shibboleth/login in 
> > /cgi/users/login for people which want to login using shibboleth, 
> > isn't it?
> > 
> > For redirects it is not a problem, but I think /cgi/users/login 
> > already save the loginparams so send you to the wanted page.
> > 
> > 
> > Il 13/12/2017 11:25, David R Newman ha scritto:
> > > 
> > > Hi Yuri,
> > > 
> > > The actual login page is http://HOSTNAME/cgi/users/login you
> > > could
> > > include this link for people who want to login using local login.
> > >   However, must the links that require you to login will still
> > > always
> > > redirect to shibboleth, so you will have to instruct you local
> > > uses
> > > that they must click on the local login to ensure they are logged
> > > in
> > > before trying to use any of the logged in user functionality,
> > > 
> > > You might want to do something clever with the login link to
> > > ensure the
> > > user gets returned to the same page they were on before they
> > > realised
> > > they need to login.  I am not sure how to do this off the top of
> > > my
> > > head.
> > > 
> > > Regards
> > > 
> > > David Newman
> > > 
> > > On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
> > > > 
> > > > Hi!
> > > > 
> > > >    reading and implementing this guide:
> > > > 
> > > > https://wiki.eprints.org/w/Shibboleth
> > > > 
> > > >    every login is handled by Shibboleth. Is there a way to let
> > > > the
> > > > user
> > > > choose betsween local and Shibboleth login?
> > > > 
> > > > 
> > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
> > > > rints-
> > > > tech
> > > > *** Archive: http://www.eprints.org/tech.php/
> > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > *** Options: 
> > > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> > > *** Archive: http://www.eprints.org/tech.php/
> > > *** EPrints community wiki: http://wiki.eprints.org/
> > > *** EPrints developers Forum: http://forum.eprints.org/
> 
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/