Quantcast

[Bug 17776] New: Shibboleth Authentication is broken in plack

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] New: Shibboleth Authentication is broken in plack

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

            Bug ID: 17776
           Summary: Shibboleth Authentication is broken in plack
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

Shibboleth authentication relies heavily on per request environment variable,
which doesn't play nicely with persistent apps (plack).

We need to convert to using request headers in this case and update the
documentation to reflect this alteration.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Katrin Fischer <[hidden email]> ---
Should this be enh or more a bug?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Mirko Tietgen <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |normal
                 CC|                            |[hidden email]

--- Comment #2 from Mirko Tietgen <[hidden email]> ---
If it's broken it's a bug. ;)

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #3 from Martin Renvoize <[hidden email]> ---
Created attachment 60800
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=60800&action=edit
Enable Shibboleth for Plack

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #4 from Martin Renvoize <[hidden email]> ---
To test:

1) Enable plack
2) Alter the apache config block to ensure shibboleth is passing attributes via
headers instead of environment. (when running under plack, apache act's merely
as a Proxy and so cannot pass environment to the separate plack process).
3) Checkin shibboleth logins are now working using the plack instance.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Zeno Tajoli <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #5 from Zeno Tajoli <[hidden email]> ---
Do you think we can use http://www.ssocircle.com/en/portfolio/publicidp/ for
testing ?

Or is better to use https://www.testshib.org/ ?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #60800|0                           |1
        is obsolete|                            |

--- Comment #6 from Martin Renvoize <[hidden email]> ---
Created attachment 60847
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=60847&action=edit
Enable Shibboleth for Plack

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #7 from Martin Renvoize <[hidden email]> ---
So after more local testing, i found that the plack environment could be a
little more complex than my initial tests.

This patch obsoletes the original and calls 'get_shib_login' later in the
runtime (i.e. outside of the begin block) so we have a valid environment by the
time the routine run.

In short, it should all work now so long as you've updated your Apache configs
as per the inline perldoc documentation.

I believe the UseHeaders and UseEnvironment variables for the shibboleth
service provider software are mutually exclusive (they appeared to be in my
brief testing), so I don't believe it is possible to run in a half and half
setup (unless you have two entirely separate vhosts.. one for plack and one for
non-plack running).

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #8 from Martin Renvoize <[hidden email]> ---
(In reply to Zeno Tajoli from comment #5)
> Do you think we can use http://www.ssocircle.com/en/portfolio/publicidp/ for
> testing ?
>
> Or is better to use https://www.testshib.org/ ?

Either IdP should work perfectly happily.  I've tested here against teshshib,
openfiede and some customer systems using simplesamlphp and ms active directory
services.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #9 from Mirko Tietgen <[hidden email]> ---
There are two instances of get_shib_login in Auth.pm that probably should be
get_login_shib instead?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #10 from Mirko Tietgen <[hidden email]> ---
I get redirected to a login page when I add

ShibUseEnvironment Off
ShibUseHeaders On

to my Apache config.

There is an additional

Require valid-user

in the config of the test system, just removing that leads to the same result,
so I wonder if it is connected and how I can test around that?


  <Location />
                AuthType shibboleth
                ShibRequireSession On
                ShibUseEnvironment Off
                ShibUseHeaders On
                Require valid-user
  </Location>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #60847|0                           |1
        is obsolete|                            |

--- Comment #11 from Martin Renvoize <[hidden email]> ---
Created attachment 61426
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61426&action=edit
Enable Shibboleth for Plack

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #12 from Martin Renvoize <[hidden email]> ---
Fixed the get_login_shib.. thanks for spotting that.. seems I'd already
corrected it locally.. Oops.

As for the apache config..

It's the `ShibRequireSession On` line that means you are enforcing a shibboleth
login for all users I believe.. I don't think that's required if you want
optional login.  I'm not sure where that line came from on your test system?

To help, I've included a copy of my exact config from the demo server where
I've been testing:

   # Optional Shibboleth Configuration - Plack Alternative
   <Location />
      #ShibRequestSetting applicationId demo.koha-ptfs.co.uk
      AuthType shibboleth
      ShibUseEnvironment Off
      ShibUseHeaders On
      ShibRequireSession Off
      Require shibboleth
      #Require valid-user
   </Location>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #13 from Martin Renvoize <[hidden email]> ---
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig is
very helpful for understanding what the different apache directives do ;)

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #14 from Mirko Tietgen <[hidden email]> ---
Very helpful link, thanks!

We are enforcing Shib login on purpose, there is not supposed to be any other
way to log in. So that does not work with the config needed for Plack?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

--- Comment #15 from Martin Renvoize <[hidden email]> ---
Hmm, slightly confused by the comment then.. I thought you were finding that it
was always redirecting but that wasn't the behaviour you wanted.  I'll quiz you
on IRC tomorrow to clarify the question.

Thanks for testing,

Martin

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 17776] Shibboleth Authentication is broken in plack

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776

Mason James <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Loading...