Hi Joel and Chris Thanks for your messages! As Chris pointed out <Location /> is correct - it is saying that the location is / (i. e. the entire site) and this wasn't the the cause of the 404 message indeed. So the following Apache configuration (according to https://perldoc.koha-community.org/C4/Auth_with_shibboleth.html ) actually does work with Koha 20.11 running Plack: <Location /> AuthType shibboleth Require shibboleth ShibUseEnvironment Off ShibUseHeaders On </Location> Shibboleth accesses the XML file using a URL like https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata and misled by the https I had the following configuration in my file "shibboleth2.xml" <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> This was wrong because in my case HTTPS/SSL is not configured on the Koha host in its Apache configuration (which has only entries for HTTP *:80 and HTTP *:8080) but on the entry host. So the correct configuration is the following <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="http"> So I'll get the following warnings and will have to live with it for the time being: $ sudo shibd -t 2021-05-06 23:43:07 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage 2021-05-06 23:43:07 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites overall configuration is loadable, check console or log for non-fatal problems I only found this out when completely rebuilding my configuration from zero. After inserting every new directive I stopped/started both shibd and apache2, checked with "shibd -t" and tried to access the XML file via https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata Best wishes: Michael -- Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz T 0041 (0)61 261 55 61 · E mik@adminkuhn.ch · W www.adminkuhn.ch Am 06.05.21 um 22:53 schrieb Coehoorn, Joel:
On my working system which uses shibboleth, the Location element is defined inside the appropriate VirtualHosts, and looks like this:
<Location /> # ShibRequest Setting applicationId catalog.york.edu <http://catalog.york.edu> Authtype shibboleth ShibRequireSession Off Require shibboleth </Location>
Yes, ShiRequest really is commented out, and it does seem like the "/" character is the opening <Location /> element is wrong and should immedately close the element. I'm actually not sure what's going on there as I look at it, but if it were wrong I'd expect apache to not even run when it tries to parse the </Location> line a few lines later.
For context, I have 4 VirtualHost entries: one each for HTTP *:80 and HTTPS *:443 for both OPAC and staff. We use SSO for both OPAC and staff. I have the Location element listed inside both HTTPS *:443 virtual hosts. The HTTP *:80 hosts only have enough to force a redirect to the corresponding HTTPS *:443 location. We are not using plack.
The main thing I can see is, if you can already download the xml metadata, and it looks correct, I would leave it out. Whaver apache needs to configure this, if you can download the file it already has it.
Joel Coehoorn Director of Information Technology York College of Nebraska
Am 06.05.21 um 23:28 schrieb Chris Cormack:
Kia ora
Location / is right
It's not closing the tag its saying location is / ie the entire site. Location is relative to the site, not to be confused with Directory which is to do with the file structure on the server.
So this will not be the cause of the 404
Our running instances look like Joel's too.
Chris
On Thu, May 6, 2021 at 2:57 PM Michael Kuhn <mik@adminkuhn.ch <mailto:mik@adminkuhn.ch>> wrote:
Hi Alvaro
Thanks for the hint, but <Location /var/lib/koha/<INSTANCE>/ > isn't working either. Besides there is some caching going on (Memcache, Plack, Mojolicious) that complicates things a lot.
I think there is some important information missing in https://wiki.koha-community.org/wiki/Shibboleth_Configuration <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>
Maybe it even has something to do with the new caching introduced in recent Koha versions?
Is anyone successfully running Shibboleth with Koha 20.11 (running Plack) - and if yes, what does your directive "Location" look like?
Best wishes: Michael -- Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz T 0041 (0)61 261 55 61 · E mik@adminkuhn.ch <mailto:mik@adminkuhn.ch> · W www.adminkuhn.ch <http://www.adminkuhn.ch>