shibboleth/aai more guidance needed setting up

[kosarko]

• discojuice
  • from https://github.com/ufal/clarin-dspace/wiki/Migration-to-DSpace7.2.1.#aai-shibboleth I assume that discojuice popup should appear somewhere
  • https://github.com/dataquest-dev/dspace-angular/pull/112/files#diff-7cf721f5c17bd1c997189ec4b8965bd650388c6d4966d005dbc31ab670ce40ea has a.signon as the selector; but that class does not seem to be used anywhere in dspace-angular (except for src/app/clarin-navbar-top/clarin-navbar-top.component.scss)
• shibboleth
  • my local.cfg has these:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.clarin.ClarinShibAuthentication
authentication-shibboleth.netid-header = eppn
authentication-shibboleth.email-header = mail
authentication-shibboleth.firstname-header = givenName
authentication-shibboleth.lastname-header = sn 

• /repository/api/authn/shibboleth is the "protected url" in nginx; the one that get's the headers. (dspace.server.url = https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/repository)
• big red Login takes me to /login, 'Login with shibboleth' takes me to idp.
  • I get logged in when I use an account that provides email 👍
  • without email I'm getting stuck on "Whitelabel error page" (at /repository/api/authn/shibboleth?redirectUrl=https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz)
    

ie. the rest api throws the UserWithoutEmailException but the angular app has no way to react to that; is not involved in the flow at the moment

adding these

diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/clarin/ClarinShibbolethLoginFilter.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/clarin/ClarinShibbolethLoginFilter.java
index aca9b64ab7..f9acf4c11b 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/clarin/ClarinShibbolethLoginFilter.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/clarin/ClarinShibbolethLoginFilter.java
@@ -73,10 +73,10 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class ClarinShibbolethLoginFilter extends StatelessLoginFilter {
     public static final String USER_WITHOUT_EMAIL_EXCEPTION = "UserWithoutEmailException";
-    public static final String MISSING_HEADERS_FROM_IDP = "MissingHeadersFromIpd";
+    public static final String MISSING_HEADERS_FROM_IDP = "MissingHeadersFromIdp";
     private static final String AUTHORIZATION_HEADER = "Authorization";

-    private static final Logger log = LogManager.getLogger(org.dspace.app.rest.security.ShibbolethLoginFilter.class);
+    private static final Logger log = LogManager.getLogger(ClarinShibbolethLoginFilter.class);

     private ConfigurationService configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
     private ClarinVerificationTokenService clarinVerificationTokenService = ClarinServiceFactory.getInstance()
@@ -109,6 +109,9 @@ public class ClarinShibbolethLoginFilter extends StatelessLoginFilter {

         // If the verification token is not null the user wants to login.
         String verificationToken = req.getHeader("verification-token");
+        if (log.isDebugEnabled()) {
+            log.debug("verificationToken=" + verificationToken);
+        }
         ClarinVerificationToken clarinVerificationToken;
         try {
             clarinVerificationToken = clarinVerificationTokenService.findByToken(context, verificationToken);
@@ -121,6 +124,10 @@ public class ClarinShibbolethLoginFilter extends StatelessLoginFilter {
         ShibHeaders shib_headers;
         if (Objects.nonNull(clarinVerificationToken)) {
             // Set request attribute for authentication method.
+            if (log.isDebugEnabled()) {
+                    log.debug("Setting shib.headers request attribute: " + clarinVerificationToken.getShibHeaders());
+
+            }
             req.setAttribute("shib.headers", clarinVerificationToken.getShibHeaders());
             shib_headers = new ShibHeaders(clarinVerificationToken.getShibHeaders());
         } else {
@@ -129,7 +136,15 @@ public class ClarinShibbolethLoginFilter extends StatelessLoginFilter {

         // Retrieve the netid and email values from the header.
         String netid = shib_headers.get_single(netidHeader);
+        if (log.isDebugEnabled()) {
+                log.debug("netid=" + netid);
+
+        }
         String idp = shib_headers.get_idp();
+        if (log.isDebugEnabled()) {
+                log.debug("idp=" + idp);
+
+        }
         // If the clarin verification object is not null load the email from there otherwise from header.
         String email = Objects.isNull(clarinVerificationToken) ?
                 shib_headers.get_single(emailHeader) : clarinVerificationToken.getEmail();
diff --git a/dspace/config/log4j2.xml b/dspace/config/log4j2.xml
index 6e9a43e4f0..a5b3a23828 100644
--- a/dspace/config/log4j2.xml
+++ b/dspace/config/log4j2.xml
@@ -64,10 +64,38 @@
             </DefaultRolloverStrategy>
             -->
         </Appender>
+
+        <!-- AUTH is the name of the appender for the Authentication classes -->
+        <Appender name='AUTH'
+                  filePattern="${log.dir}/authentication.log-%d{yyyy-MM-dd}"
+                  type='RollingFile'
+                  fileName='${log.dir}/authentication.log'>
+            <Layout type='PatternLayout'
+                    pattern='%d %-5p %equals{%X{correlationID}}{}{unknown} %equals{%X{requestID}}{}{unknown} %c @ %m%n'/>
+            <policies>
+                <policy type='TimeBasedTriggeringPolicy'>yyyy-MM-dd</policy>
+           </policies>
+           <!-- TODO MaxLogs=0 -->
+        </Appender>
+
+
     </Appenders>

     <Loggers>

+        <Logger name='org.dspace.authenticate'
+                level='DEBUG'
+                additivity='false'>
+                <AppenderRef ref='AUTH'/>
+        </Logger>
+
+        <Logger name='org.dspace.app.rest.security'
+                level='DEBUG'
+                additivity='false'>
+                <AppenderRef ref='AUTH'/>
+        </Logger>
+
+
         <!-- Most parts of DSpace -->
         <Logger name='org.dspace'
                 level='${loglevel.dspace}'

the authentication log shows:

2023-02-18 10:52:02,970 DEBUG e10c8777-f4f0-43ac-9ce0-6b36a5c89b73 b757da50-3c88-49f7-bbe8-bc85f4070f0a org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2F
2023-02-18 10:52:03,397 DEBUG e10c8777-f4f0-43ac-9ce0-6b36a5c89b73 3aa8589b-2af3-4826-bc56-b8c1ab97d5c3 org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Flindat_color_line.png
2023-02-18 10:52:03,616 DEBUG e10c8777-f4f0-43ac-9ce0-6b36a5c89b73 57f22312-bd96-4523-a864-3ad8d3e162f3 org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttps%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2F
2023-02-18 10:52:05,234 DEBUG e10c8777-f4f0-43ac-9ce0-6b36a5c89b73 c3de448e-e059-4bcb-a1d2-7cb7a3aa24b9 org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Flogin
2023-02-18 10:52:05,768 DEBUG e10c8777-f4f0-43ac-9ce0-6b36a5c89b73 7d486747-7cff-471d-83a8-3e8d0e82d3d6 org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttps%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Flogin
2023-02-18 10:52:27,339 DEBUG unknown unknown org.dspace.app.rest.security.clarin.ClarinShibbolethLoginFilter @ Request is to process authentication
2023-02-18 10:52:27,340 DEBUG unknown unknown org.dspace.app.rest.security.clarin.ClarinShibbolethLoginFilter @ verificationToken=null
2023-02-18 10:52:27,340 DEBUG unknown unknown org.dspace.app.rest.security.clarin.ClarinShibbolethLoginFilter @ [email protected]
2023-02-18 10:52:27,341 DEBUG unknown unknown org.dspace.app.rest.security.clarin.ClarinShibbolethLoginFilter @ idp=https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/idp/shibboleth
2023-02-18 10:52:27,342 ERROR unknown unknown org.dspace.app.rest.security.clarin.ClarinShibbolethLoginFilter @ Cannot load the shib email header from the request headers.
2023-02-18 10:52:27,342 DEBUG unknown unknown org.dspace.authenticate.clarin.ClarinShibAuthentication @ Redirecting user to Shibboleth initiator: https://ufal-point-dev.ufal.hide.ms.mff.cuni.cz/Shibboleth.sso/Login?target=https%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Frepository%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttps%3A%2F%2Fufal-point-dev.ufal.hide.ms.mff.cuni.cz%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO%3Fexecution%3De10s2

(the change of MissingHeadersFromIpd should be also in angular; anyways I don't think it plays a role in this issue)

Maybe it all gets fixed when discojuice works, however, its config uses /shibboleth-login and that won't get the headers in the current setup. Also the last DEBUG line above is rather suspicious (having the idp as the target after we've come from the idp?)

Can someone describe the expected flow and a correct setup? As even the successful login seems to be due to luck and not my understanding of what the flow is...

[kosarko]

• I get logged in when I use an account that provides email 👍

Sometimes I do need to refresh the page, though. i.e., click login, go through IDP, get back to the homepage - the big red login button is still there; hit F5 -> now I'm logged in.

Keeping it as a comment for now, as I'm not sure about the overall setup...

[kosarko]

@milanmajchrak, can we do something about the Whitelabel Error Page? For example, after the import, I'm not able to use shibboleth. I get to the IDP page, but when I fill credentials and confirm, all I see is:

With the AUTH log4j config, I can at least get something in the logs*, but I have no idea what's happening as a user. I don't have anything to send to support (and I have to get back somehow and find the support email). Can we, maybe, show a stack trace and some contact info?

*the cause is:

The identified EPerson based upon Shibboleth email header, 'mail'='[email protected]', is locked to another netid: 'MY_ID_WITH_THE_CUNI_IDP[https://cas.cuni.cz/idp/shibboleth]'. This might be a possible hacking attempt to steal another users credentials. If the user's netid has changed you will need to manually change it to the correct value or unset it in the database.

So, actually, nothing unexpected. Just difficult to figure out the cause.

[kosarko]

What's mentioned here is either fixed or described in more detail under #1066
The necessary nginx setup is more or less https://github.com/ufal/dockerized-nginx-with-shibboleth/blob/bc67dbf3332307e72440f4791fdd126c016457f0/nginx/conf/templates/default.conf.template#L80-L83