[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Shibboleth and local login



Il 07/02/2018 11:04, David R Newman ha scritto:
> Hi Yuri,
>
> Actually you will find if you click on the the Login link it actually
> takes you to /cgi/users/home, when you have configured Shibboleth, this
> will redirect to /shibboleth/login rather than /cgi/users/login.
>   ?If you create a link directly to /cgi/users/login this will allow you to
> still use local login.

No, I tried but it sends me to Shibboleth auth. This is because 
/cgi/users/login is sent to https and thus to shibboleth because / in 
https is protected by shibboleth. Just protecting /shibboleth in https 
does not work. You can login but you get no user from apache. I think it 
has to do with remote_user be passed only when you've a protected 
location, so if you're on /cgi you don't get the user while if you're on 
/shibboleth yes.

Can you share your https/eprints config? I'm using Debian stretch and 
Eprints 3.3.16 installed from tar.gz

> I go direct to /cgi/users/login all the time
> for repositories I support where I am not part of the institution
> itself.
>
> The only downside of having a direct login link is you may not be
> logged into the page you clicked the local login link on. ?However, I
> think you can probably do something clever with you template to write
> the current path into the href for html of this link.

>
> On a side issue, I am the most recent person to significantly update
> the Shibboleth page on wiki.eprints.org. ?I am aware of a couple of
> errors. ?One is will the /shibboleth/login code without user creation.

The user is created using login-autocreate

>  ?I have been meaning to get round to fixing this. ?Also, there is an
> issue with the /shibboleth/login code that does create user accounts
> because it does not render correctly and misses out a load of empty
> string definitions in the following line:
>
> my ($username, $given, $family, $email) = (undef, '', '', '');

Yes, I've this but just cosmetic. Thanks for your help.

>
> I will endeavour to correct these issues today.

Thanks!

>
> Regards
>
> David Newman
>
> On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
>> Hi!
>>
>> I'm following: https://wiki.eprints.org/w/Webserver_authentication
>>
>>  ??I've found this in :
>>
>>  ???????????????? if( $repository->current_url ne
>> $repository->current_url( path => "cgi", "users/login" ) )
>>  ???????????????? {
>> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login
>> first" );
>>  ???????????????????????? EPrints::Apache::AnApache::header_out( $r,
>> "Location", $login_url );
>> EPrints::Apache::AnApache::send_http_header( $r );
>>  ???????????????????????? return DONE;
>>  ???????????????? }
>>
>> this create a loop in authentication because it doesn'nt check for
>> /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
>>
>> My question is also how I can insert a link to a local
>> authentication
>> because if I follow a link to /cgi/users/login, I get redirected to
>> shibboleth auth. Is it because of the lines above?
>>
>> To avoid the loop, in auth.pl I've changed this:
>>
>>  ??? my $url = URI->new( $session->get_repository->get_conf(
>> "base_url" )
>> . "/shibboleth/login" ); <- base_url is http, no shibboleth, so the
>> server keep redirecting over and over
>>
>>  ??to:
>>
>>  ???? my $url = "https://<mysite>/shibboleth/login";
>>
>> So, I think the guide is incomplete or there's something not clear to
>> me...
>>
>> Il 14/12/2017 09:11, Yuri ha scritto:
>>> Ok, so I've just to add a link to /shibboleth/login in
>>> /cgi/users/login for people which want to login using shibboleth,
>>> isn't it?
>>>
>>> For redirects it is not a problem, but I think /cgi/users/login
>>> already save the loginparams so send you to the wanted page.
>>>
>>>
>>> Il 13/12/2017 11:25, David R Newman ha scritto:
>>>> Hi Yuri,
>>>>
>>>> The actual login page is http://HOSTNAME/cgi/users/login?you
>>>> could
>>>> include this link for people who want to login using local login.
>>>>  ??However, must the links that require you to login will still
>>>> always
>>>> redirect to shibboleth, so you will have to instruct you local
>>>> uses
>>>> that they must click on the local login to ensure they are logged
>>>> in
>>>> before trying to use any of the logged in user functionality,
>>>>
>>>> You might want to do something clever with the login link to
>>>> ensure the
>>>> user gets returned to the same page they were on before they
>>>> realised
>>>> they need to login. ?I am not sure how to do this off the top of
>>>> my
>>>> head.
>>>>
>>>> Regards
>>>>
>>>> David Newman
>>>>
>>>> On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
>>>>> Hi!
>>>>>
>>>>>  ???reading and implementing this guide:
>>>>>
>>>>> https://wiki.eprints.org/w/Shibboleth
>>>>>
>>>>>  ???every login is handled by Shibboleth. Is there a way to let
>>>>> the
>>>>> user
>>>>> choose betsween local and Shibboleth login?
>>>>>
>>>>>
>>>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
>>>>> rints-
>>>>> tech
>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>>> *** Options:
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>>> *** Archive: http://www.eprints.org/tech.php/
>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>> *** EPrints developers Forum: http://forum.eprints.org/
>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
>> tech
>> *** Archive: http://www.eprints.org/tech.php/
>> *** EPrints community wiki: http://wiki.eprints.org/
>> *** EPrints developers Forum: http://forum.eprints.org/
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/