Yes, unfortunately for me, we do… it was quite simple - redirect everything except if http_host is adminsite and it worked. Currently it works for users, but admins are kinda locked out, so I just have to figure out that part. Probably will need just some debugging.
Hello,
i started to use SeaFile Community Verion 6.3.5. with Shibboleth Single-Sign On. Following your guide ( …/shibboleth_config_v6.3.html ) i ran into several problems.
Using your example site for Apache i had a problem with ProxyPass
and <Location /Shibboleth.sso/>
. It seems that ProxyPass
handled everything including /Shibboleth.sso/
. I was unable to authenticate with Single-Sign-On until i used this Settings
<Location /Shibboleth.sso>
SetHandler shib
Require all granted
ProxyPass !
</Location>
Now i see Shibboleth fully working and get a Session, which is viewable at <URL>/Shibboleth.sso/Session
My problem now is, that SeaFile didn’t recognize this Session. When i use Login via SSO i am just seeing login-form and nothing else.
I think i have a Problem with seahub.py
. I used your example in guide:
EXTRA_AUTHENTICATION_BACKENDS = ('shibboleth.backends.ShibbolethRemoteUserBackend',)
EXTRA_MIDDLEWARE_CLASSES = ('shibboleth.middleware.ShibbolethRemoteUserMiddleware',)
ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
SHIBBOLETH_ATTRIBUTE_MAP = {
"HTTP_EPPN": (False, "username"),
"HTTP_GIVENNAME": (False, "givenname"),
"HTTP_SN": (False, "surname"),
"HTTP_MAIL": (False, "contact_email"),
}
So, while Shibboleth is working fine, Seahub isn’t doing anything.
I just want to ask if there can be any problems else?
Is it possible to enable debug-log for more details on workflow in seahub?
regards
Hi there,
I seem to have the same problem on v6.3.* like others here. I’ve tried a dozen of combinations including Apache and NGINX with Shibboleth and still no success. After authenticating to IdP I’m being redirect to Seafile login page again and again. Literally nothing happens according to all Seafile related logs.
I’ve verified the HTTP_MAIL being available by creating a separate page showing all headers AND /Shibboleth.sso/Session.
Attributes
givenName: 1 value(s)
mail: 1 value(s)
sn: 1 value(s)
uid: 1 value(s)
Some excerpts from configs. Apache:
<Location /Shibboleth.sso>
SetHandler shib
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId default
require shib-session
</Location>
ProxyPreserveHost On
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
seahub_settings.py:
EXTRA_AUTHENTICATION_BACKENDS = ('shibboleth.backends.ShibbolethRemoteUserBackend',)
EXTRA_MIDDLEWARE_CLASSES = ('shibboleth.middleware.ShibbolethRemoteUserMiddleware',)
ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
SHIBBOLETH_ATTRIBUTE_MAP = {
"HTTP_MAIL": (False, "username"),
#"HTTP_GIVENNAME": (False, "givenname"),
#"HTTP_SN": (False, "surname"),
#"HTTP_MAIL": (False, "contact_email"),
}
Any help/clues would be highly appreciated!
Regards,
Sina
CC: @xiez @daniel.pan
I’m also having this exact same problem - I’ve tried many different combinations. If anyone has gotten it working, it would be much appreciated if you could share configs
We will look into the problem in the next week.
[EDIT]
Hi, I confirm that with a 6.3.13 version, i can not use Shibboleth login anymore (6.3.10 worked fine)
I don’t understand because HTTP HEADERS are sent to seahub (debug shows them)
Sorry for the mistake, i just forgot to Set SHIB_HTTP_HEADERS
@network everythink is right for me on 6.3.13 pro
@gauburtin, mind to share your configs? I guess many here are having the exact same problem and tried different combinations with no luck.
Sure. Hope it will help
seahub_settings.py
#Shibboleth
EXTRA_AUTHENTICATION_BACKENDS = (
'shibboleth.backends.ShibbolethRemoteUserBackend',
)
EXTRA_MIDDLEWARE_CLASSES = (
'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
)
ENABLE_SHIB_LOGIN = True
# Update for 6.2 WCGI
SHIBBOLETH_ATTRIBUTE_MAP = {
"HTTP_MAIL": (True, "username"),
"HTTP_GIVENNAME": (False, "givenname"),
"HTTP_SN": (False, "surname"),
"HTTP_MAIL": (True, "contact_email"),
"HTTP_EPPN": (True, "affiliation"),
}
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
Apache Vhost
#Shibboleth
<Location /Shibboleth.sso>
SetHandler shib
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId default
require shib-session
</Location>
<Location /sso>
AuthType shibboleth
ShibRequestSetting requireSession true
Require valid-user
# WCGI mode
ShibUseHeaders On
</Location>
shibboleth2.xml
Take care of the order (mail is used because it is first)
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://xxx.yyy.fr"
REMOTE_USER="mail eppn persistent-id targeted-id">
Hi Sina,
There are 3 steps involved:
- The Apache Shibboleth module need to translate the fields returned from IdP to the fields used by Seafile (Seahub), especially the REMOTE_USER field.
- Let Apache pass the fields to Seahub via HTTP header
- Let Seahub map the fields to its internal fields, like Given name, contact email.
Only the REMOTE_USER field is required to make the user successfully login.
Here are the configs we use to make Seahub work with https://samltest.id/ (A public Shibboleth test server):
Seahub
seahub_settings.py
ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
SHIBBOLETH_ATTRIBUTE_MAP = {
}
EXTRA_AUTHENTICATION_BACKENDS = (
'shibboleth.backends.ShibbolethRemoteUserBackend',
)
EXTRA_MIDDLEWARE_CLASSES = (
'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
)
Here we use an empty SHIBBOLETH_ATTRIBUTE_MAP.
The only required field for Apache to pass to Seahub is HTTP_REMOTE_USER
. Apache should pass it in HTTP header.
Apache’s Shibboleth module
Here is the config we use to let the Apache’s Shibboleth module to set HTTP_REMOTE_USER
from the mail field returned from IdP:
<ApplicationDefaults entityID="https://your-SP-server/shibboleth"
REMOTE_USER="mail">
...
<SSO entityID="https://your-ldp-server/url">
SAML2
</SSO>
...
<!--Load your LDP server's metadata.-->
<MetadataProvider type="XML" validate="true"
url="https://samltest.id/saml/idp"
backingFilePath="SAMLtest.xml">
<!-- You should always check the signature and freshness of remote
metadata. It's commented out until you get the basics working.
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="signet.crt" verifyBackup="false"/>
-->
</MetadataProvider>
Note, the REMOTE_USER
field is set in Apache’s environment by default. So we need to tell Apache to pass the filed in HTTP header
Apache’s config
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName seafile.example.com
DocumentRoot /var/www
Alias /media /opt/seafile/seafile-server-latest/seahub/media
ErrorLog ${APACHE_LOG_DIR}/seahub.error.log
CustomLog ${APACHE_LOG_DIR}/seahub.access.log combined
SSLEngine on
SSLCertificateFile /path/to/ssl-cert.pem
SSLCertificateKeyFile /path/to/ssl-key.pem
# for http
# RequestHeader set REMOTE_USER %{REMOTE_USER}e
# for https
RequestHeader set REMOTE_USER %{REMOTE_USER}s
<Location /Shibboleth.sso>
SetHandler shib
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
<Location /sso>
SetHandler shib
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
RewriteEngine On
<Location /media>
Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>
</IfModule>
Pay attention to
RequestHeader set REMOTE_USER %{REMOTE_USER}s
Note
You can config Apache’s Shibboleth module to set the fields to HTTP header, so
RequestHeader set REMOTE_USER %{REMOTE_USER}s
can be removed.
You should also add some config to Apache to make sure HTTP_REMOTE_USER can only be set by Apache not by end-user itself.
I can confirm this works on 6.3.13 Community Edition, thanks @gauburtin
Here is the full apache2 config file, hopefully it helps anyone that can’t figure out what is missing from the documentation:
<VirtualHost *:443>
ServerName xxxxx
ServerAlias xxxxx
ServerAlias xxxxx
ServerAdmin you@domain.tld
DocumentRoot /var/www/html
Header always set Strict-Transport-Security "max-age=31536000"
ServerSignature Off
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<INSERT SSL CONFIG HERE>
Alias /media /home/seafile/seafile-server-latest/seahub/media
RewriteEngine On
SSLEngine on
#Shibboleth
<Location /Shibboleth.sso>
SetHandler shib
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId default
require shib-session
</Location>
<Location /sso>
AuthType shibboleth
ShibRequestSetting requireSession true
Require valid-user
# WCGI mode
ShibUseHeaders On
</Location>
<Location /api2>
AuthType None
Require all granted
Allow from all
satisfy any
</Location>
RewriteEngine On
<Location /media>
Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
ProxyPreserveHost On
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>
Also, don’t forget to specify the attributes in /etc/shibboleth/attribute-map.xml as required above.
Hi
Do you have any suggestions on how to do this?
Hi Daniel,
… and that was the missing piece of the puzzle!
Thanks a lot for the quick replies, updating the manuals and adding the extra debug section.
@gauburtin @network Thank you guys too.
Cheers,
Sina
Thanks for the details. However, I think the option
ENABLE_REMOTE_USER_AUTHENTICATION = True
is missung.
I run Seafile 9.0.2 with apache2 Service Provider and Seahub did not log in with your described settings. ENABLE_REMOTE_USER_AUTHENTICATION did the trick. I think its also missing in the seafile shibboleth documentation.