Unable to authenticate with Shibboleth

Yes, unfortunately for me, we do… it was quite simple - redirect everything except if http_host is adminsite and it worked. Currently it works for users, but admins are kinda locked out, so I just have to figure out that part. Probably will need just some debugging.

Hello,

i started to use SeaFile Community Verion 6.3.5. with Shibboleth Single-Sign On. Following your guide ( …/shibboleth_config_v6.3.html ) i ran into several problems.

Using your example site for Apache i had a problem with ProxyPass and <Location /Shibboleth.sso/>. It seems that ProxyPass handled everything including /Shibboleth.sso/. I was unable to authenticate with Single-Sign-On until i used this Settings

                <Location /Shibboleth.sso>
                        SetHandler shib
                        Require all granted
                        ProxyPass !
                </Location>

Now i see Shibboleth fully working and get a Session, which is viewable at <URL>/Shibboleth.sso/Session

My problem now is, that SeaFile didn’t recognize this Session. When i use Login via SSO i am just seeing login-form and nothing else.

I think i have a Problem with seahub.py. I used your example in guide:

EXTRA_AUTHENTICATION_BACKENDS = ('shibboleth.backends.ShibbolethRemoteUserBackend',)
EXTRA_MIDDLEWARE_CLASSES = ('shibboleth.middleware.ShibbolethRemoteUserMiddleware',)

ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'

SHIBBOLETH_ATTRIBUTE_MAP  = {
    "HTTP_EPPN": (False, "username"),    
    "HTTP_GIVENNAME": (False, "givenname"),
    "HTTP_SN": (False, "surname"),
    "HTTP_MAIL": (False, "contact_email"),
}

So, while Shibboleth is working fine, Seahub isn’t doing anything.

I just want to ask if there can be any problems else?

Is it possible to enable debug-log for more details on workflow in seahub?

regards

Hi there,

I seem to have the same problem on v6.3.* like others here. I’ve tried a dozen of combinations including Apache and NGINX with Shibboleth and still no success. After authenticating to IdP I’m being redirect to Seafile login page again and again. Literally nothing happens according to all Seafile related logs.

I’ve verified the HTTP_MAIL being available by creating a separate page showing all headers AND /Shibboleth.sso/Session.

Attributes
givenName: 1 value(s)
mail: 1 value(s)
sn: 1 value(s)
uid: 1 value(s)

Some excerpts from configs. Apache:

<Location /Shibboleth.sso>
  SetHandler shib
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  ShibRequestSetting applicationId default
  require shib-session
</Location>

ProxyPreserveHost On
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/

seahub_settings.py:

EXTRA_AUTHENTICATION_BACKENDS = ('shibboleth.backends.ShibbolethRemoteUserBackend',)
EXTRA_MIDDLEWARE_CLASSES = ('shibboleth.middleware.ShibbolethRemoteUserMiddleware',)
ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
SHIBBOLETH_ATTRIBUTE_MAP  = {
  "HTTP_MAIL": (False, "username"),
  #"HTTP_GIVENNAME": (False, "givenname"),
  #"HTTP_SN": (False, "surname"),
  #"HTTP_MAIL": (False, "contact_email"),
}

Any help/clues would be highly appreciated!

Regards,
Sina

CC: @xiez @daniel.pan

1 Like

I’m also having this exact same problem - I’ve tried many different combinations. If anyone has gotten it working, it would be much appreciated if you could share configs

We will look into the problem in the next week.

[EDIT]

Hi, I confirm that with a 6.3.13 version, i can not use Shibboleth login anymore (6.3.10 worked fine)

I don’t understand because HTTP HEADERS are sent to seahub (debug shows them)

Sorry for the mistake, i just forgot to Set SHIB_HTTP_HEADERS

@network everythink is right for me on 6.3.13 pro

@gauburtin, mind to share your configs? I guess many here are having the exact same problem and tried different combinations with no luck.

Sure. Hope it will help

seahub_settings.py

#Shibboleth

EXTRA_AUTHENTICATION_BACKENDS = (
    'shibboleth.backends.ShibbolethRemoteUserBackend',
)
EXTRA_MIDDLEWARE_CLASSES = (
    'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
)


ENABLE_SHIB_LOGIN = True

# Update for 6.2 WCGI 

SHIBBOLETH_ATTRIBUTE_MAP  = {
    "HTTP_MAIL": (True, "username"),
    "HTTP_GIVENNAME": (False, "givenname"),
    "HTTP_SN": (False, "surname"),
    "HTTP_MAIL": (True, "contact_email"),
    "HTTP_EPPN": (True, "affiliation"),

}

SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'

Apache Vhost

  #Shibboleth
  <Location /Shibboleth.sso>
        SetHandler shib
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting applicationId default
        require shib-session
  </Location>

  <Location /sso>
        AuthType shibboleth
        ShibRequestSetting requireSession true
        Require valid-user
        # WCGI mode
        ShibUseHeaders On
  </Location>

shibboleth2.xml

Take care of the order (mail is used because it is first)

<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://xxx.yyy.fr"
                     REMOTE_USER="mail eppn persistent-id targeted-id">

Hi Sina,

There are 3 steps involved:

  1. The Apache Shibboleth module need to translate the fields returned from IdP to the fields used by Seafile (Seahub), especially the REMOTE_USER field.
  2. Let Apache pass the fields to Seahub via HTTP header
  3. Let Seahub map the fields to its internal fields, like Given name, contact email.

Only the REMOTE_USER field is required to make the user successfully login.

Here are the configs we use to make Seahub work with https://samltest.id/ (A public Shibboleth test server):

Seahub

seahub_settings.py

ENABLE_SHIB_LOGIN = True
SHIBBOLETH_USER_HEADER = 'HTTP_REMOTE_USER'
SHIBBOLETH_ATTRIBUTE_MAP  = {
}
EXTRA_AUTHENTICATION_BACKENDS = (
    'shibboleth.backends.ShibbolethRemoteUserBackend',
)
EXTRA_MIDDLEWARE_CLASSES = (
    'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
)

Here we use an empty SHIBBOLETH_ATTRIBUTE_MAP.

The only required field for Apache to pass to Seahub is HTTP_REMOTE_USER. Apache should pass it in HTTP header.

Apache’s Shibboleth module

Here is the config we use to let the Apache’s Shibboleth module to set HTTP_REMOTE_USER from the mail field returned from IdP:

<ApplicationDefaults entityID="https://your-SP-server/shibboleth"

        REMOTE_USER="mail">

...


 <SSO entityID="https://your-ldp-server/url">
    SAML2
  </SSO>

...


<!--Load your LDP server's metadata.-->

<MetadataProvider type="XML" validate="true"

    url="https://samltest.id/saml/idp"

    backingFilePath="SAMLtest.xml">

       <!-- You should always check the signature and freshness of remote

                         metadata.  It's commented out until you get the basics working.

            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>

            <MetadataFilter type="Signature" certificate="signet.crt" verifyBackup="false"/>

          -->

</MetadataProvider>

Note, the REMOTE_USER field is set in Apache’s environment by default. So we need to tell Apache to pass the filed in HTTP header

Apache’s config

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName seafile.example.com

        DocumentRoot /var/www
        Alias /media /opt/seafile/seafile-server-latest/seahub/media

        ErrorLog ${APACHE_LOG_DIR}/seahub.error.log
        CustomLog ${APACHE_LOG_DIR}/seahub.access.log combined

        SSLEngine on
        SSLCertificateFile  /path/to/ssl-cert.pem
        SSLCertificateKeyFile /path/to/ssl-key.pem

       # for http
       # RequestHeader set REMOTE_USER %{REMOTE_USER}e
       # for https
       RequestHeader set REMOTE_USER %{REMOTE_USER}s

        <Location /Shibboleth.sso>
	        SetHandler shib
	        AuthType shibboleth
	        ShibRequestSetting requireSession 1
	        Require valid-user
        </Location>

        <Location /sso>
        	SetHandler shib
	        AuthType shibboleth
	        ShibRequestSetting requireSession 1
	        Require valid-user
        </Location>

        RewriteEngine On
        <Location /media>
	        Require all granted
        </Location>

        #
        # seafile fileserver
        #
        ProxyPass /seafhttp http://127.0.0.1:8082
        ProxyPassReverse /seafhttp http://127.0.0.1:8082
        RewriteRule ^/seafhttp - [QSA,L]

        #
        # seahub
        #
        ProxyPreserveHost On
        ProxyPass / http://127.0.0.1:8000/
        ProxyPassReverse / http://127.0.0.1:8000/
    </VirtualHost>
</IfModule>

Pay attention to

RequestHeader set REMOTE_USER %{REMOTE_USER}s

Note

You can config Apache’s Shibboleth module to set the fields to HTTP header, so

RequestHeader set REMOTE_USER %{REMOTE_USER}s

can be removed.

You should also add some config to Apache to make sure HTTP_REMOTE_USER can only be set by Apache not by end-user itself.

1 Like

I can confirm this works on 6.3.13 Community Edition, thanks @gauburtin

Here is the full apache2 config file, hopefully it helps anyone that can’t figure out what is missing from the documentation:

<VirtualHost *:443>
    ServerName xxxxx
    ServerAlias xxxxx
    ServerAlias xxxxx
    ServerAdmin you@domain.tld
    DocumentRoot /var/www/html

    Header always set Strict-Transport-Security "max-age=31536000"
    ServerSignature Off

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

   <INSERT SSL CONFIG HERE>

    Alias /media  /home/seafile/seafile-server-latest/seahub/media

    RewriteEngine On

    SSLEngine on

    #Shibboleth
    <Location /Shibboleth.sso>
        SetHandler shib
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting applicationId default
        require shib-session
    </Location>

    <Location /sso>
        AuthType shibboleth
        ShibRequestSetting requireSession true
        Require valid-user
        # WCGI mode
        ShibUseHeaders On
    </Location>

    <Location /api2>
        AuthType None
        Require all granted
        Allow from all
        satisfy any
    </Location>

    RewriteEngine On
    <Location /media>
        Require all granted
    </Location>

    #
    # seafile fileserver
    #
    ProxyPass /seafhttp http://127.0.0.1:8082
    ProxyPassReverse /seafhttp http://127.0.0.1:8082
    RewriteRule ^/seafhttp - [QSA,L]

    #
    # seahub
    #
    ProxyPreserveHost On
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>

Also, don’t forget to specify the attributes in /etc/shibboleth/attribute-map.xml as required above.

1 Like

Hi
Do you have any suggestions on how to do this?

Hi Daniel,

… and that was the missing piece of the puzzle!

Thanks a lot for the quick replies, updating the manuals and adding the extra debug section.

@gauburtin @network Thank you guys too.

Cheers,
Sina

Thanks for the details. However, I think the option

ENABLE_REMOTE_USER_AUTHENTICATION = True

is missung.

I run Seafile 9.0.2 with apache2 Service Provider and Seahub did not log in with your described settings. ENABLE_REMOTE_USER_AUTHENTICATION did the trick. I think its also missing in the seafile shibboleth documentation.