EPrints Technical Mailing List Archive

Message: #07137

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Shibboleth and local login

Hi Yuri,

The default instructions at https://wiki.eprints.org/w/Shibboleth assum
e users have already been created.  This is the more secure assumption.
 As someone may want to use institutional login but only wants a
specific set of users to be able to login and do not want or are not
able to configure the IdP to do this.  

There is a version of the script in the Customisation section of the
Shibboleth page that shows how to do user account creation as well.  I
have just updated the page so it is more obvious that this script does
account creation from the page's table of contents.  I have also
amended in  the instructions for the default login script that it does
not create user accounts and to look at the customisation section.
 Further to this, I figured out what causes the 500 error and ammended
the login script.  So instead you should get take to an account
required page, if you can login with Shibboleth but do not have an
account on the EPrints repository.

I will look into whether the Webserver_authentication page can be
deprecated.  if so I will put a notice on it telling users to use the
Shibboleth page instead.

Regards

David Newman




On Thu, 2018-02-08 at 11:15 +0100, Yuri wrote:
> Now I got it. I completely get rid of any 
> https://wiki.eprints.org/w/Webserver_authentication instruction and 
> followed exaclty your guide ( https://wiki.eprints.org/w/Shibboleth
> ) 
> and... it works!
> 
> Can someone update https://wiki.eprints.org/w/Webserver_authenticatio
> n 
> about being not working?
> 
> Also the /cgi/users/login local authentication works perfectly.
> 
> The only problem now is that you get a 500 if the user has not been 
> created before. So I copied what they did for webserver auth 
> (login-autocreate), and updated the login script get_user routine:
> 
> sub get_user {
>    my ( $username, $email ) = ( undef, "" );
>    if( $ENV{REMOTE_USER} ) {
>     #( $username ) = split( /@/, $ENV{eppn}, 2);
>     $username = $ENV{REMOTE_USER};
>     $username = lc( $username );
>     $email = $ENV{REMOTE_USER};
>    }
>    return unless EPrints::Utils::is_set( $username );
>    my $user = $session->user_by_username( $username );
> 
>    if( !defined $user )
>    {
>      $user = EPrints::DataObj::User::create( $session, "user" );
>      $user->set_value( "username", $username );
>    }
> 
>    $user->set_value( "email", $email );
>    $user->commit;
>    return $user;
> }
> 
> If someone don't want to autocreate user, then just do a redirect 
> instead of creating a user (better do a logout using $c->{on_logout} 
> before?)
> 
> Really thanks!
> 
> 
> Il 07/02/2018 15:33, David R Newman ha scritto:
> > 
> > Hi Yuri,
> > 
> > The instructions I wrote at  https://wiki.eprints.org/w/Shibboleth ;
> > have
> > a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/
> > that
> > uses the following line in the get_login_url sub:
> > 
> > my $url = URI->new( $session->config( "https_url" )  .
> > "/shibboleth/login" );
> > 
> > This is the equivalent to what you have suggested below.
> > 
> > Also these instructions explain that you need to add the following
> > to
> > your archive's ssl/securevhost.conf after the Include line for
> > EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for
> > your
> > archive name below:
> > 
> > Alias /shibboleth /opt/eprints3/archives/foo/shibboleth
> > <Location "/shibboleth">
> >    SetHandler perl-script
> >    PerlHandler ModPerl::Registry
> >    PerlSendHeader Off
> >    Options ExecCGI FollowSymLinks
> > 
> >    AuthType shibboleth
> >    ShibRequestSetting requireSession 1
> >    require shib-session
> > </Location>
> > 
> > <Location /cgi/shibboleth>
> >    AuthType shibboleth
> >    ShibRequestSetting requireSession 1
> >    require shib-session
> > </Location>
> > 
> > The second Location block is not absolutely necessary unless you
> > want
> > to deploy the /cgi/shibboleth test script.
> > 
> > With this config, I can go to /cgi/users/login on http or https and
> > not
> > be redirected to /shibboleth/login
> > 
> > Regards
> > 
> > David Newman
> > 
> > On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote:
> > > 
> > > What about:
> > > 
> > > To avoid the loop, in auth.pl I've changed this:
> > > 
> > >        my $url = URI->new( $session->get_repository-
> > > > 
> > > > get_conf("base_url" )."/shibboleth/login" ); <- base_url is
> > > > http, no
> > > shibboleth, so the server keep redirecting over and over
> > > 
> > >      to:
> > > 
> > >         my $url = "https://<mysite>/shibboleth/login";
> > > 
> > > because of (from perl_lib/EPrints/Apache/Auth.pm):
> > > 
> > >                     if( $repository->current_url ne
> > > $repository->current_url( path => "cgi", "users/login" ) )
> > >                     {
> > > EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to
> > > login
> > > first" );
> > >                            
> > > EPrints::Apache::AnApache::header_out(
> > > $r,
> > > "Location", $login_url );
> > > EPrints::Apache::AnApache::send_http_header( $r );
> > >                             return DONE;
> > >                     }
> > > 
> > > This create a loop in authentication because it doesn'nt check
> > > for
> > > /shibboleth/login but just for /cgi/users/login.
> > > 
> > > Il 07/02/2018 14:48, Yuri ha scritto:
> > > > 
> > > > Il 07/02/2018 11:04, David R Newman ha scritto:
> > > > > 
> > > > > Hi Yuri,
> > > > > 
> > > > > Actually you will find if you click on the the Login link it
> > > > > actually
> > > > > takes you to /cgi/users/home, when you have configured
> > > > > Shibboleth, this
> > > > > will redirect to /shibboleth/login rather than
> > > > > /cgi/users/login.
> > > > >      If you create a link directly to /cgi/users/login this
> > > > > will
> > > > > allow you to
> > > > > still use local login.
> > > > No, I tried but it sends me to Shibboleth auth. This is because
> > > > /cgi/users/login is sent to https and thus to shibboleth
> > > > because /
> > > > in
> > > > https is protected by shibboleth. Just protecting /shibboleth
> > > > in
> > > > https
> > > > does not work. You can login but you get no user from apache. I
> > > > think it
> > > > has to do with remote_user be passed only when you've a
> > > > protected
> > > > location, so if you're on /cgi you don't get the user while if
> > > > you're on
> > > > /shibboleth yes.
> > > > 
> > > > Can you share your https/eprints config? I'm using Debian
> > > > stretch
> > > > and
> > > > Eprints 3.3.16 installed from tar.gz
> > > > 
> > > > > 
> > > > > I go direct to /cgi/users/login all the time
> > > > > for repositories I support where I am not part of the
> > > > > institution
> > > > > itself.
> > > > > 
> > > > > The only downside of having a direct login link is you may
> > > > > not be
> > > > > logged into the page you clicked the local login link on.
> > > > >   However, I
> > > > > think you can probably do something clever with you template
> > > > > to
> > > > > write
> > > > > the current path into the href for html of this link.
> > > > > On a side issue, I am the most recent person to significantly
> > > > > update
> > > > > the Shibboleth page on wiki.eprints.org.  I am aware of a
> > > > > couple
> > > > > of
> > > > > errors.  One is will the /shibboleth/login code without user
> > > > > creation.
> > > > The user is created using login-autocreate
> > > > 
> > > > > 
> > > > >     I have been meaning to get round to fixing this.  Also,
> > > > > there
> > > > > is an
> > > > > issue with the /shibboleth/login code that does create user
> > > > > accounts
> > > > > because it does not render correctly and misses out a load of
> > > > > empty
> > > > > string definitions in the following line:
> > > > > 
> > > > > my ($username, $given, $family, $email) = (undef, '', '',
> > > > > '');
> > > > Yes, I've this but just cosmetic. Thanks for your help.
> > > > 
> > > > > 
> > > > > I will endeavour to correct these issues today.
> > > > Thanks!
> > > > 
> > > > > 
> > > > > Regards
> > > > > 
> > > > > David Newman
> > > > > 
> > > > > On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
> > > > > > 
> > > > > > Hi!
> > > > > > 
> > > > > > I'm following: https://wiki.eprints.org/w/Webserver_authent
> > > > > > icat
> > > > > > ion
> > > > > > 
> > > > > >      I've found this in :
> > > > > > 
> > > > > >                     if( $repository->current_url ne
> > > > > > $repository->current_url( path => "cgi", "users/login" ) )
> > > > > >                     {
> > > > > > EPrints::Apache::AnApache::send_status_line( $r, 302, "Need
> > > > > > to
> > > > > > login
> > > > > > first" );
> > > > > >                            
> > > > > > EPrints::Apache::AnApache::header_out( $r,
> > > > > > "Location", $login_url );
> > > > > > EPrints::Apache::AnApache::send_http_header( $r );
> > > > > >                             return DONE;
> > > > > >                     }
> > > > > > 
> > > > > > this create a loop in authentication because it doesn'nt
> > > > > > check
> > > > > > for
> > > > > > /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
> > > > > > 
> > > > > > My question is also how I can insert a link to a local
> > > > > > authentication
> > > > > > because if I follow a link to /cgi/users/login, I get
> > > > > > redirected to
> > > > > > shibboleth auth. Is it because of the lines above?
> > > > > > 
> > > > > > To avoid the loop, in auth.pl I've changed this:
> > > > > > 
> > > > > >        my $url = URI->new( $session->get_repository-
> > > > > > >get_conf(
> > > > > > "base_url" )
> > > > > > . "/shibboleth/login" ); <- base_url is http, no
> > > > > > shibboleth, so
> > > > > > the
> > > > > > server keep redirecting over and over
> > > > > > 
> > > > > >      to:
> > > > > > 
> > > > > >         my $url = "https://<mysite>/shibboleth/login";
> > > > > > 
> > > > > > So, I think the guide is incomplete or there's something
> > > > > > not
> > > > > > clear to
> > > > > > me...
> > > > > > 
> > > > > > Il 14/12/2017 09:11, Yuri ha scritto:
> > > > > > > 
> > > > > > > Ok, so I've just to add a link to /shibboleth/login in
> > > > > > > /cgi/users/login for people which want to login using
> > > > > > > shibboleth,
> > > > > > > isn't it?
> > > > > > > 
> > > > > > > For redirects it is not a problem, but I think
> > > > > > > /cgi/users/login
> > > > > > > already save the loginparams so send you to the wanted
> > > > > > > page.
> > > > > > > 
> > > > > > > 
> > > > > > > Il 13/12/2017 11:25, David R Newman ha scritto:
> > > > > > > > 
> > > > > > > > Hi Yuri,
> > > > > > > > 
> > > > > > > > The actual login page is http://HOSTNAME/cgi/users/logi
> > > > > > > > n yo
> > > > > > > > u
> > > > > > > > could
> > > > > > > > include this link for people who want to login using
> > > > > > > > local
> > > > > > > > login.
> > > > > > > >      However, must the links that require you to login
> > > > > > > > will
> > > > > > > > still
> > > > > > > > always
> > > > > > > > redirect to shibboleth, so you will have to instruct
> > > > > > > > you
> > > > > > > > local
> > > > > > > > uses
> > > > > > > > that they must click on the local login to ensure they
> > > > > > > > are
> > > > > > > > logged
> > > > > > > > in
> > > > > > > > before trying to use any of the logged in user
> > > > > > > > functionality,
> > > > > > > > 
> > > > > > > > You might want to do something clever with the login
> > > > > > > > link
> > > > > > > > to
> > > > > > > > ensure the
> > > > > > > > user gets returned to the same page they were on before
> > > > > > > > they
> > > > > > > > realised
> > > > > > > > they need to login.  I am not sure how to do this off
> > > > > > > > the
> > > > > > > > top of
> > > > > > > > my
> > > > > > > > head.
> > > > > > > > 
> > > > > > > > Regards
> > > > > > > > 
> > > > > > > > David Newman
> > > > > > > > 
> > > > > > > > On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
> > > > > > > > > 
> > > > > > > > > Hi!
> > > > > > > > > 
> > > > > > > > >       reading and implementing this guide:
> > > > > > > > > 
> > > > > > > > > https://wiki.eprints.org/w/Shibboleth
> > > > > > > > > 
> > > > > > > > >       every login is handled by Shibboleth. Is there
> > > > > > > > > a way
> > > > > > > > > to let
> > > > > > > > > the
> > > > > > > > > user
> > > > > > > > > choose betsween local and Shibboleth login?
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/l
> > > > > > > > > isti
> > > > > > > > > nfo/ep
> > > > > > > > > rints-
> > > > > > > > > tech
> > > > > > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > > > > > *** EPrints developers Forum: http://forum.eprints.or
> > > > > > > > > g/
> > > > > > > > *** Options:
> > > > > > > > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints
> > > > > > > > -tec
> > > > > > > > h
> > > > > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinf
> > > > > > o/ep
> > > > > > rints-
> > > > > > tech
> > > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/
> > > > > epri
> > > > > nts-tech
> > > > > *** Archive: http://www.eprints.org/tech.php/
> > > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
> > > > rint
> > > > s-tech
> > > > *** Archive: http://www.eprints.org/tech.php/
> > > > *** EPrints community wiki: http://wiki.eprints.org/
> > > > *** EPrints developers Forum: http://forum.eprints.org/
> > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
> > > nts-
> > > tech
> > > *** Archive: http://www.eprints.org/tech.php/
> > > *** EPrints community wiki: http://wiki.eprints.org/
> > > *** EPrints developers Forum: http://forum.eprints.org/
> > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
> > s-tech
> > *** Archive: http://www.eprints.org/tech.php/
> > *** EPrints community wiki: http://wiki.eprints.org/
> > *** EPrints developers Forum: http://forum.eprints.org/
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/