dvn-auth

dvn-auth@lists.iq.harvard.edu

17 discussions

by Philip Durbin

The dvn-auth mailing list has been fun but we're retiring it for a number of reasons. First, this list is quite low traffic. So is the main dataverse-community Google Group. We've decided to ask everyone here to join the Google Group instead: https://groups.google.com/forum/#!forum/dataverse-community All things auth are on topic for the Google Group. There's really no need to split up the community. People seem to agree: http://irclog.iq.harvard.edu/dataverse/2015-07-16#i_21793 Second, this list was created back when Redmine was used for ticket tracking and there was no way for people outside IQSS to comment on issues. This has all changed with the move to GitHub issues so there are more ways to reach out. Comment away on those auth tickets! A number of Google docs related to auth allow public comments as well. Third, recently some subscribers to this lists have received many strange "unsubscribe me" and "reset my password" emails as chronicled at https://lists.iq.harvard.edu/pipermail/dvn-auth/2015-July/000031.html . Nobody needs this, especially for a low-traffic list. We'll just shut it down. Long live the Google Group. (Long live http://chat.dataverse.org as well, the preferred communication channel of the coordinators of the Dataverse Auth Community Group: http://community.dataverse.org/community-groups/auth.html :) Finally, the list has "dvn" in the name but it's now a legacy term. We call the software "Dataverse". :) We'll keep the archives of this list around but I'll unsubscribe everyone after sending this message. Thank you for everyone's participation! Please do consider joining the Google Group. And please don't be shy about asking questions about auth or discussing auth there. If we overwhelm the group, we can always split off into a separate list again someday! :) Phil -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin

8 years, 9 months

Abnormal mailing list emails are being investigated

by Ben Companjen

Dear all, Last night (CEST) dvn-auth list subscribers (may) have received "confirm unsubscribe" and/or "mailing list reminder" messages. Chances are you did not want to unsubscribe, so you can ignore the messages. Phil and I are investigating what happened (although we have to rely on the list system administrators) and if this should/could be prevented in the future. Ben

8 years, 9 months

Auth group meeting report; group page updated

by Ben Companjen

Hi all, We've taken off! The Authentication and Authorization Community Group, that is. At the first Dataverse Community Meeting, a break-out session on Auth was well attended and already resulted in interesting ideas for possible directions for Dataverse development. The report of the meeting is a Google Doc: https://docs.google.com/document/d/17TI2RLqdntd5vnrygDrFgYNNmqb_eoTdSFita-L… Phil and I updated the CG's page on Dataverse.org yesterday. The page has pretty minimal information, as the more dynamic group information can be found in and linked from the (main) Dataverse Authentication and Authorization Community Group Google Doc: https://docs.google.com/document/d/1xbWkj_OIk13gKe7jleNXVvakZErvHLA8JRBvLz8… You're invited to read and contribute by commenting or requesting edit access to this document or linked documents. The Dataverse.org website is being migrated to a different platform. We, the group, may decide to migrate our documents too. It was great to meet so many people interested in Dataverse and authentication/authorization at the Community Meeting and hope to keep in touch online and offline. Regards, Phil and Ben

8 years, 9 months

2015-06-10 Dataverse Authentication Breakout Session

by Philip Durbin

Hello! For the first time the two coordinators (Ben Companjen and myself) of the Dataverse Auth Community Group are in the same room and we're kicking off the group in a meeting this afternoon. I wanted to share the Google Doc where we will be taking notes. It's open for editing so please feel free to edit it as much as you like! https://docs.google.com/document/d/17TI2RLqdntd5vnrygDrFgYNNmqb_eoTdSFita-L… Phil -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin

8 years, 10 months

2 Approaches to Open Source Single Sign-On & Access Management | Gluu | Blog

by Philip Durbin

http://www.gluu.org/blog/2-approaches-to-diy-single-sign-on-sso/

8 years, 12 months

Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID

by Philip Durbin

Hello! Question for all you Shibboleth experts out there... If I'd like to take one of the attributes and store in in Dataverse as a persistent identifier? Which one should I use? >From playing around with the IdP at http://testshib.org I assumed "persistent-id" would be the one to use. It looks nice and unique: persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… However! I'm hearing that "persistent-id" may not be so commonly used... that perhaps in Higher Ed anyway "eppn" might be used instead. The weird thing to me about "eppn", however is that (at least from TestShib) there's a username in it: eppn: myself(a)testshib.org Furthermore, eppn is allowed to change (!) according to https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-… "Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute." So... maybe we should require eduPersonTargetedID (also known as ePTID) instead... But then I checked in with a non-Higher Ed person, and he uses Assertion -> Subject -> NameID. It looks like this: <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID> It's got "persistent" in it, which I like. :) >From what I can tell from docs above "[ePTID] is an abstracted version of [NameID]" anyway, so maybe I should just require NameID so non-Higher Ed people aren't confused. Of course, I may just be confusing myself... I hope it's clear what I'm asking... What we need on the Dataverse side is to but something in the "FIXME" below: permanentId = httpServletRequest.getAttribute("FIXME"); Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise. We'll be using this value to find the Shib users in the system each time they log in. Thanks! Phil p.s. Chats I just had (summarized above): http://irclog.perlgeek.de/shibboleth/2014-07-29 Time Nick Message 19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything? 19:59 hsnopi not taht I am specifically aware of. I think it is used to give a user a permenant id but i could be very very wrong 19:59 pdurbin that's how I was thinking I'd use it 19:59 pdurbin but I'm also hearing that eppn is preferred, maybe? 20:00 pdurbin the IdP at http://testshib.org sends both 20:00 hsnopi that is so far out of my league 20:00 pdurbin eppn: myself(a)testshib.org 20:00 pdurbin persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… 20:01 pdurbin persistent-id seemed "safer" to use... more unique... 20:01 hsnopi i seem to vaguely recall something about eppn going away at soem point. 20:01 pdurbin hmm http://www.evanchooly.com/logs/%2523glassfish/2014-07-29 pdurbin whartung: persistent-id or eppn? whartung pdurbin: eh? pdurbin heh pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29 whartung frankly, I don't recognize either of those :) pdurbin whartung: what attribute do you use to uniquely identify a user who has logged in via shibboleth? whartung Subject->NAmeID pdurbin huh pdurbin I'm not used to seeing "->" in an attribute whartung Assertion -> Subject -> NameID pdurbin oh oh whartung no, it's the heirarchy pdurbin whartung: you're giving me the xpath ;) whartung yea pdurbin cool. thanks pdurbin NameID. hmm pdurbin commonly used? whartung Apparently pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName https://www.incommon.org/federation/attributesummary.html whartung ok whartung yea, we're not in that domain whartung generic Response of ours: http://pastie.org/private/oay0trwmvrw9e0haekqmlw pdurbin ok so <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID> pdurbin interesting whartung right pdurbin so I'm seeing "persistent" there and under "longevity" at https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes pdurbin "persistent: identifiers which are good for a long period of time (e.g. years) but which the IdP may revoke" whartung yea, perahps we should use "permanent" instead pdurbin right -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin

9 years, 2 months

Announcing the Dataverse Auth Community Group

by Ben Companjen

Hi all, You may have seen the general information about the formation of Community Groups for Dataverse at [1]. "(...) Community Groups will be formed during the /First Annual Dataverse Community Meeting (June 9-11)/ <http://community.dataverse.org/community-meetings/2015/index.html#community…> and will report back to the /Dataverse Advisory Team/ <http://community.dataverse.org/advisory-team.html#advisory-team>." [1]: http://community.dataverse.org/community-groups/index.html " The Dataverse Advisory team advises the Dataverse team at IQSS, which includes PI Gary King, Project Lead Mercè Crosas and members of the Data Science team at IQSS (http://datascience.iq.harvard.edu/team), on all significant general areas involving the Dataverse software application, with a focus on technical advice." [2] [2]: http://community.dataverse.org/advisory-team.html#advisory-team One Community Group you as a subscriber to this list may be interested in, is Authentication and Authorization ("Auth") [3], which is coordinated by Philip Durbin and me. The group will discuss 'auth' functional and technical questions and requirements, use cases, etc. and report to the Advisory Team who can advise about these topics. For example, a major current topic is Shibboleth support in Dataverse 4. DDN (me :)) is thinking about assigning roles to specific dataverses to users based on SAML attributes. We are, naturally, interested in other aspects or ways of authenticating and authorizing too. [3]: http://community.dataverse.org/community-groups/auth.html On a meta level, the community groups are still / yet to be discussed. We expect that to happen between now and the end of the First Community Meeting in June. You don't need to wait for the meeting in June to join the discussion about auth, of course :) If you are interested in being part of the auth group, please let Phil or me know via email and we'll make sure you get the details. Of course, news about the auth group will be posted here and in #dataverse on Freenode IRC as well. Looking forward to talk to/chat with/see/.. you! Phil and Ben Ben Companjen Information systems engineer / Information manager ben.companjen(a)dans.knaw.nl +31 6 1334 9717 Skype: bencompanjen Data Archiving and Networked Services (DANS) DANS promotes sustained access to digital research data. See www.dans.knaw.nl for more information and contact details. DANS is an institute of KNAW and NWO. DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 | 2509 AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl | www.dans.knaw.nl

9 years, 2 months

Re: [dvn-auth] Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID (Philip Durbin)

by Erdos, Marlena

Hi Phil, I've comment on your GitHub suggestions related to the identifer/identity attributes of eppn (eduPersonPrincipalName), ePTID (eduPersonTargetedID), and NameID. I post it here for others. Hi Phil, I think you are misunderstanding the purpose of the these identity-oriented attributes when you talk about "ordering." Either that or I'm mis-understanding your business case :-). Generally, identity and identifier attributes are used for account-finding and also authorization. And other attributes (like roles and groups) also factor into authorization. There's not really an "ordering" but rather a question of "purpose" for each attribute. An IdP is generally only going to send you one of the attributes you list for a given user. Its purpose is "account-finding" if applicable, and/or "identifier-based authorization." Thx, Marlena 617-872-9736 -----Original Message----- From: "dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>" <dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu>> Reply-To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Date: Thursday, February 5, 2015 at 12:00 PM To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: dvn-auth Digest, Vol 8, Issue 1 Send dvn-auth mailing list submissions to dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To subscribe or unsubscribe via the World Wide Web, visit https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth or, via email, send a message with subject or body 'help' to dvn-auth-request(a)lists.iq.harvard.edu<mailto:dvn-auth-request@lists.iq.harvard.edu> You can reach the person managing the list at dvn-auth-owner(a)lists.iq.harvard.edu<mailto:dvn-auth-owner@lists.iq.harvard.edu> When replying, please edit your Subject line so it is more specific than "Re: Contents of dvn-auth digest..." Today's Topics: 1. Re: Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID (Philip Durbin) ---------------------------------------------------------------------- Message: 1 Date: Thu, 5 Feb 2015 10:45:03 -0500 From: Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> To: "dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>" <dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu>> Subject: Re: [dvn-auth] Shibboleth persistent identifier: persistent-id vs. eppn vs. ePTID vs. NameID Message-ID: <CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw(a)mail.gmail.com<mailto:CABbxx8FF9KREf_Z7usdKc7Gd6fdWyj48J7_kEq8zg4WG4oT7tw@mail.gmail.com>> Content-Type: text/plain; charset=UTF-8 Happy New Year, dvn-auth list! :) I just created a ticket about eppn vs. ePTID vs. NameID at https://github.com/IQSS/dataverse/issues/1422 Comments there or here are certainly welcome! Phil On Wed, Jul 30, 2014 at 1:39 PM, Philip Durbin <philip_durbin(a)harvard.edu<mailto:philip_durbin@harvard.edu>> wrote: Hi Leonhard! Thanks for your reply! I'm very curious what your Shibboleth federation hotline has to say. Meanwhile, a little bird on this list pointed me to a "Cloud Services Cookbook" recorded only a couple weeks ago that seems to have a ton of related advice: http://www.incommon.org/iamonline/ I'll copy the DO and DON'T bullet points from the slides and in our heads we can all translate "Vendor" to "Dataverse" and "Campus" to all the IdP providers out there: http://www.incommon.org/docs/iamonline/20140716_IAMOnline.pdf Slide 11 Challenges: Network IDs and Email Addresses CONSIDER the relationship between ePPN and mail. Campus: DO socialize the use of organizational email addresses. Campus: DO make eduPersonPrincipalName useful. Vendor: DO be cautious about using mail as a unique identifier Slide 12 Challenges: Scoped and Unscoped Identifiers Campus: DO work with service providers to understand how data is being interpreted. Vendor: DON'T assume that a simple username is unique across domains and subdomains. Slide 19 Challenge: Usernames Change ?What's in a name? ...a rose by any other name would smell as sweet" -?Act II, Scene II. Romeo and Juliet Vendor: DO be prepared for username changes. Campus: DO standardize internally on a stable "serial number" for users. Campus: DO support a varied set of identifiers. DON'T be afraid of eduPersonTargetedID. The last slide links to https://carmenwiki.osu.edu/display/CICIDM/Current+Working+Draft+of+Cloud+Se… which seems to have similar advice but not in bullet form. :) Much more detail, I mean. So! My takeaway from all this is that I would very much like the IdPs to send Dataverse a "stable 'serial number' for users". That's the thing I want to store in the database on the Dataverse side. Can all the IdPs out there send me this? Phil On Wed, Jul 30, 2014 at 3:00 AM, Leonhard Maylein <Maylein(a)ub.uni-heidelberg.de<mailto:Maylein@ub.uni-heidelberg.de>> wrote: Hi, I'm not really a shibboleth expert. As far as I can see, ePTID is used mainly in Shibboleth 1.x/SAML 1.x. Shibboleth 2.x uses the persistentNameID (see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID) Shibboleth 1.x is no longer supported (see https://wiki.shibboleth.net/confluence/display/SHIB/WebHome). From a data privacy point of view, eppn could be problematic. PersistentNameIDs are pseudonyms. But I'm not sure if every IdP supports the persitentNameID, although there are a lot of service providers (especially publishers) which use this ID for personalization). Maybe you could make it configurable which attribute/id is used? To be sure, I will forward your email to our shibboleth federation hotline. Leonhard Maylein Am 29.07.2014 um 23:15 schrieb Philip Durbin: Hello! Question for all you Shibboleth experts out there... If I'd like to take one of the attributes and store in in Dataverse as a persistent identifier? Which one should I use? From playing around with the IdP at http://testshib.org I assumed "persistent-id" would be the one to use. It looks nice and unique: persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… However! I'm hearing that "persistent-id" may not be so commonly used... that perhaps in Higher Ed anyway "eppn" might be used instead. The weird thing to me about "eppn", however is that (at least from TestShib) there's a username in it: eppn: myself(a)testshib.org<mailto:myself@testshib.org> Furthermore, eppn is allowed to change (!) according to https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-… "Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. They may also be reassigned after a locally-defined period of dormancy. Applications that require a guarantee of non-reassignment and more stability, but can tolerate values unfriendly (and unknown) to humans should refer to the eduPersonTargetedID attribute." So... maybe we should require eduPersonTargetedID (also known as ePTID) instead... But then I checked in with a non-Higher Ed person, and he uses Assertion -> Subject -> NameID. It looks like this: <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml2:NameID> It's got "persistent" in it, which I like. :) From what I can tell from docs above "[ePTID] is an abstracted version of [NameID]" anyway, so maybe I should just require NameID so non-Higher Ed people aren't confused. Of course, I may just be confusing myself... I hope it's clear what I'm asking... What we need on the Dataverse side is to but something in the "FIXME" below: permanentId = httpServletRequest.getAttribute("FIXME"); Should the "FIXME" be "NameID" perhaps? "eppn"? Something else? Please advise. We'll be using this value to find the Shib users in the system each time they log in. Thanks! Phil p.s. Chats I just had (summarized above): http://irclog.perlgeek.de/shibboleth/2014-07-29 Time Nick Message 19:57 pdurbin hsnopi or rkeene do you use "persistent-id" for anything? 19:59 hsnopi not taht I am specifically aware of. I think it is used to give a user a permenant id but i could be very very wrong 19:59 pdurbin that's how I was thinking I'd use it 19:59 pdurbin but I'm also hearing that eppn is preferred, maybe? 20:00 pdurbin the IdP at http://testshib.org sends both 20:00 hsnopi that is so far out of my league 20:00 pdurbin eppn: myself(a)testshib.org<mailto:myself@testshib.org> 20:00 pdurbin persistent-id: https://idp.testshib.org/idp/shibboleth!https://apitest.dataverse.org/shibb… 20:01 pdurbin persistent-id seemed "safer" to use... more unique... 20:01 hsnopi i seem to vaguely recall something about eppn going away at soem point. 20:01 pdurbin hmm http://www.evanchooly.com/logs/%2523glassfish/2014-07-29 pdurbin whartung: persistent-id or eppn? whartung pdurbin: eh? pdurbin heh pdurbin whartung: http://irclog.perlgeek.de/shibboleth/2014-07-29 whartung frankly, I don't recognize either of those :) pdurbin whartung: what attribute do you use to uniquely identify a user who has logged in via shibboleth? whartung Subject->NAmeID pdurbin huh pdurbin I'm not used to seeing "->" in an attribute whartung Assertion -> Subject -> NameID pdurbin oh oh whartung no, it's the heirarchy pdurbin whartung: you're giving me the xpath ;) whartung yea pdurbin cool. thanks pdurbin NameID. hmm pdurbin commonly used? whartung Apparently pdurbin ok. eppn comes from higher ed. eduPersonPrincipalName https://www.incommon.org/federation/attributesummary.html whartung ok whartung yea, we're not in that domain whartung generic Response of ours: http://pastie.org/private/oay0trwmvrw9e0haekqmlw pdurbin ok so <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">kayyagari</saml2:NameID> pdurbin interesting whartung right pdurbin so I'm seeing "persistent" there and under "longevity" at https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes pdurbin "persistent: identifiers which are good for a long period of time (e.g. years) but which the IdP may revoke" whartung yea, perahps we should use "permanent" instead pdurbin right _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin ------------------------------ _______________________________________________ dvn-auth mailing list dvn-auth(a)lists.iq.harvard.edu<mailto:dvn-auth@lists.iq.harvard.edu> To unsubscribe from this list or get other information: https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth End of dvn-auth Digest, Vol 8, Issue 1 **************************************

9 years, 2 months

Fwd: User sessions mixed up when Java app deployed to Glassfish is fronted with Apache httpd

by Philip Durbin

I'm seeing a very strange (and scary!) bug now that we're running fronting Glassfish with Apache at https://dataverse-demo.iq.harvard.edu I've described the bug to the Shibboleth mailing list (initial message below) and there have been some follow up posts: - http://shibboleth.net/pipermail/users/2014-October/017878.html - http://shibboleth.net/pipermail/users/2014-October/017879.html - http://shibboleth.net/pipermail/users/2014-October/017885.html Obviously, we can't ship Shibboleth support with a bug like this. Long time readers of this list know that initially I tried a pure Java solution called OIOSAML but the current approach is to use mod_shib, which requires fronting Glassfish with Apache. If anyone has any ideas what the problem might be, please let me know! Thanks! Phil ---------- Forwarded message ---------- From: Philip Durbin <philip_durbin(a)harvard.edu> Date: Wed, Oct 29, 2014 at 6:47 PM Subject: User sessions mixed up when Java app deployed to Glassfish is fronted with Apache httpd To: Shib Users <users(a)shibboleth.net> By following the Shibboleth wiki*, I'm now fronting my Java application server (Glassfish) with Apache httpd so I can use mod_shib and have Shibboleth attributes passed to my Java application. It works (great!) but now that I've configured our beta site this way I have a new, terrifying problem... Users' sessions are getting mixed up! This is just a demo/beta site but obviously this is a show stopper for us moving forward with mod_shib in production. Even on the demo site I'm tempted to pull Apache httpd out of our setup because I don't want people are looking at the demo site to get scared by suddenly seeing that they are logged in as someone else! We never see this problem when we run only Glassfish. The scrambled user sessions has something to do with introducing Apache httpd into the mix. I sure hope there's a simple fix for this. Let me explain how I've set things up. In my Apache httpd config I have these lines: # don't pass paths used by rApache and TwoRavens to Glassfish ProxyPassMatch ^/RApacheInfo$ ! ProxyPassMatch ^/custom ! ProxyPassMatch ^/rookzelig ! # don't pass paths used by Shibboleth to Glassfish ProxyPassMatch ^/Shibboleth.sso ! ProxyPassMatch ^/shibboleth-ds ! # pass everything else to Glassfish ProxyPass / ajp://localhost:8009/ <Location /shib.xhtml> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] To enable AJP communication between Glassfish and Apache httpd I use this command: asadmin create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector I'm running on CentOS 6.5 and using httpd-2.2.15 which means I'm using mod_proxy_ajp, as the wiki recommends (rather than mod_jk). I'm running GlassFish Server Open Source Edition 4.0 (build 89). Here's where we are tracking problem on our end: https://github.com/IQSS/dataverse/issues/647 Any advice is welcome! Please tell me what I'm doing wrong! I'm happy to point out relevant bits of the code and config, all of which is on GitHub, but I think the key information is above. Phil * "In the setup described here, requests from browsers are intercepted first by Apache httpd. The Shibboleth SP then checks these requests to enforce authentication requirements. After an assertion is received and a Shibboleth session is established, the SP or Apache httpd can enforce access control rules, or it can just pass attributes to the application. The request is then forwarded to the servlet through the use of the AJP13 protocol. Subsequent requests can leverage the Shibboleth session or a session maintained by the application or servlet container to persist the login." under "Install Shibboleth to protect Java Servlets" at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall p.s. People reporting similar problems (and how tricky it is to reproduce reliably): - http://jeecookbook.blogspot.com/2013/07/modjk-session-mixed-between-users.h… - http://stackoverflow.com/questions/14731806/session-mix-up-apache-httpd-wit… - http://stackoverflow.com/questions/14845493/spring-security-jsf-hibernate-a… -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin -- Philip Durbin Software Developer for http://dataverse.org http://www.iq.harvard.edu/people/philip-durbin

9 years, 6 months

Fwd: [Dataverse-Users] Try out Single Sign-On With Shibboleth in 4.0 Beta

by Philip Durbin

I'm looking for institutions with Shibboleth Identity Providers to test interoperability to the code we pushed to https://dataverse-demo.iq.harvard.edu last night per the announcement below. Right now we only have the TestShib IdP but I'd love to have Odum/UNC, DANS, Duke, etc. as options. Can we exchange metadata? Phil ---------- Forwarded message ---------- From: Eleni Castro <posixeleni(a)gmail.com> Date: Thu, Oct 9, 2014 at 12:52 PM Subject: [Dataverse-Users] Try out Single Sign-On With Shibboleth in 4.0 Beta To: dataverse-community(a)googlegroups.com Greetings Dataverse Community, Dataverse 4.0 Beta <http://dataverse-demo.iq.harvard.edu/> now supports single sign-on using Shibboleth <https://shibboleth.net/>, which allows users to authenticate using the same login credentials that they use for their institution or organization! To test this out in Dataverse 4.0 Beta, select Log In on the top navigation bar. Once on the Log In page under “Institution Log In”, click on “Please select your institution…” dropdown option and select “TestShib Test IdP” and click on the “Continue” button. Next, you will be presented with a login page. As of this blog post, you can only log in with three mock accounts (myself, superego, and alterego) provided by the Identity Provider at http://testshib.org but we are very interested in interoperability testing as many Identity Providers as possible! If the login is successful, you will then be taken to our Dataverse Account Creation Terms of Use page. Please note that these terms are just for testing and demonstration purposes and so are not our actual Dataverse Terms of Use. We are currently working with the Berkman Center <http://cyber.law.harvard.edu/> to update our Account Creation Terms of Use for 4.0. If you run a Shibboleth Identity Provider, you can download the the Dataverse demo Service Provider metadata at https://dataverse-demo.iq.harvard.edu/Shibboleth.sso/Metadata and send your Identity Provider metadata to us via support(a)dataverse.org We would love to be able to have as many institutions able to use Shibboleth when Dataverse 4.0 goes live so please get in touch with us if you are interested! If you are interested in authentication beyond Shibboleth (OAuth, LDAP, etc.), please consider subscribing to our dedicated "dvn-auth" mailing list at https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth Shibboleth is an oft-discussed topic <http://irclog.iq.harvard.edu/search.pl?channel=dataverse&q=shibboleth> in the #dataverse IRC channel on freenode <http://webchat.freenode.net/?channels=dataverse> as well! *Reposted from the Data Science Blog: **http://datascience.iq.harvard.edu/blog/try-out-single-sign-shibboleth-40-beta <http://datascience.iq.harvard.edu/blog/try-out-single-sign-shibboleth-40-be…>* -- You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsubscribe(a)googlegroups.com. To post to this group, send email to dataverse-community(a)googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/54796b3e-3296-46e9-94… <https://groups.google.com/d/msgid/dataverse-community/54796b3e-3296-46e9-94…> . For more options, visit https://groups.google.com/d/optout. -- Philip Durbin Software Developer for http://dataverse.org <http://thedata.org> http://www.iq.harvard.edu/people/philip-durbin

9 years, 6 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

dvn-auth