[Koha] Koha and Shibboleth

Coehoorn, Joel jcoehoorn at york.edu
Fri May 7 08:53:13 NZST 2021


On my working system which uses shibboleth, the Location element is defined
inside the appropriate VirtualHosts, and looks like this:

<Location />
# ShibRequest Setting applicationId catalog.york.edu
   Authtype shibboleth
   ShibRequireSession Off
   Require shibboleth
</Location>

Yes, ShiRequest really is commented out, and it does seem like the "/"
character is the opening <Location /> element is wrong and should
immedately close the element. I'm actually not sure what's going on there
as I look at it, but if it were wrong I'd expect apache to not even run
when it tries to parse the </Location> line a few lines later.

For context, I have 4 VirtualHost entries: one each for HTTP *:80 and HTTPS
*:443 for both OPAC and staff. We use SSO for both OPAC and staff. I have
the Location element listed inside both HTTPS *:443 virtual hosts. The HTTP
*:80 hosts only have enough to force a redirect to the corresponding HTTPS
*:443 location. We are not using plack.

The main thing I can see is, if you can already download the xml metadata,
and it looks correct, I would leave it out. Whaver apache needs to
configure this, if you can download the file it already has it.

Joel Coehoorn
Director of Information Technology
York College of Nebraska


On Thu, May 6, 2021 at 2:57 PM Michael Kuhn <mik at adminkuhn.ch> wrote:

> Hi Alvaro
>
> Thanks for the hint, but <Location /var/lib/koha/<INSTANCE>/ > isn't
> working either. Besides there is some caching going on (Memcache, Plack,
> Mojolicious) that complicates things a lot.
>
> I think there is some important information missing in
> https://wiki.koha-community.org/wiki/Shibboleth_Configuration
>
> Maybe it even has something to do with the new caching introduced in
> recent Koha versions?
>
> Is anyone successfully running Shibboleth with Koha 20.11 (running
> Plack) - and if yes, what does your directive "Location" look like?
>
> Best wishes: Michael
> --
> Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
> Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
> T 0041 (0)61 261 55 61 · E mik at adminkuhn.ch · W www.adminkuhn.ch
>
>
>
> Am 06.05.21 um 21:19 schrieb Alvaro Cornejo:
> > Hi Michael
> >
> > My guess would be
> >
> > <Location /var/lib/koha/<INSTANCE>/  >
> >
> > since it is the root path of koha
> >
> > Regards
> >
> > Alvaro
> >
> >
> |----------------------------------------------------------------------------------------|
> > Stay safe / Cuídate/ Reste sécurisé
> > */7/*Switch off as you go / Apaga lo que no usas / Débranchez au fur et
> > à mesure.
> > *q *Recycle always / Recicla siempre / Recyclez toujours
> > PPrint only if absolutely necessary / Imprime solo si es necesario /
> > Imprimez seulement si nécessaire
> >
> >
> > Le jeu. 6 mai 2021 à 13:31, Michael Kuhn <mik at adminkuhn.ch
> > <mailto:mik at adminkuhn.ch>> a écrit :
> >
> >     Hi Alvaro
> >
> >       > I´ve never worked with shibboleth but error 404 meand apache can
> not
> >       > find the specified page and/or has not permissions. Have you
> >     check it
> >       > out?
> >       >
> >       > As per what I understand, shibooleth needs to access file in:
> >       >
> >       >
> >     https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >     <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata>
> >       >
> >       > But in your apache config you are defining
> >       >
> >       > <Location />
> >       >
> >       > That means your domain root directory.
> >
> >     That is how it's shown in the example...
> >
> >       > Have you tried to point it to the shibboleth folder?
> >
> >     What would be my shibboleth folder?
> >
> >       > Can you get the metadata file directly from your browser?
> >
> >     How would that work?
> >
> >     However, I have deleted my previous configuration and started all
> over,
> >     documenting and testing every step according to
> >     https://wiki.koha-community.org/wiki/Shibboleth_Configuration
> >     <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>
> >
> >     Everything works fine until section "Adding Directories and
> >     Permissions"
> >     and it's always possible to download an XML file when accessing
> >     https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >     <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata>
> >
> >     So the file "Shibboleth.so/Metadata" seems to be created dynamically,
> >     since there is no directory or file of that name on the Koha host.
> >
> >     But as soon as I follow section "Enabling Shibboleth for your
> >     Virtualhost" and add the directive <Location /> the trouble starts
> and
> >     it is no more possible to access
> >     https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >     <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata>
> -
> >     instead I get the message Sorry, the requested page is not available,
> >     Error 404".
> >
> >     So yes, "<Location />" is probably wrong but what would be the
> correct
> >     path then? I tried <Location /Shibboleth.sso> and <Location
> >     /shibboleth/metadata> but these seem to be wrong as well...
> >
> >     Best wishes: Michael
> >     --
> >     Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg.
> Fachausweis
> >     Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
> >     T 0041 (0)61 261 55 61 · E mik at adminkuhn.ch
> >     <mailto:mik at adminkuhn.ch> · W www.adminkuhn.ch <
> http://www.adminkuhn.ch>
> >
> >
> >
> >      > Le jeu. 6 mai 2021 à 05:42, Michael Kuhn <mik at adminkuhn.ch
> >     <mailto:mik at adminkuhn.ch>
> >      > <mailto:mik at adminkuhn.ch <mailto:mik at adminkuhn.ch>>> a écrit :
> >      >
> >      >     Hi
> >      >
> >      >     In order to use Shibboleth with Koha 20.11 on Debian
> >     GNU/Linux 10 I
> >      >     searched for information about the necessary configuration.
> >     The Koha
> >      >     manual doesn't say anything about Shibboleth, but I found
> >      > https://wiki.koha-community.org/wiki/Shibboleth_Configuration
> >     <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>
> >      >
> >       <https://wiki.koha-community.org/wiki/Shibboleth_Configuration
> >     <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>>
> which
> >      >     seems to be the only source of information on this.
> >      >
> >      >     I followed the information until section "Enabling Shibboleth
> >     for your
> >      >     Virtualhost" where it says "Important: Before moving on from
> this
> >      >     section, you should be able to visit this address and see an
> >     xml file
> >      >     download, with no errors shown in your browser:
> >      > https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >     <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata>
> >      >
> >       <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >     <https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata
> >>"
> >      >
> >      >     Command "shibd -t" says: overall configuration is loadable,
> check
> >      >     console or log for non-fatal problems
> >      >
> >      >     According to
> >      >
> >
> https://github.com/Koha-Community/Koha/blob/master/C4/Auth_with_shibboleth.pm
> >     <
> https://github.com/Koha-Community/Koha/blob/master/C4/Auth_with_shibboleth.pm
> >
> >      >
> >       <
> https://github.com/Koha-Community/Koha/blob/master/C4/Auth_with_shibboleth.pm
> <
> https://github.com/Koha-Community/Koha/blob/master/C4/Auth_with_shibboleth.pm
> >>
> >      >
> >      >     I inserted the following into the Apache configuration file
> >      >     <instance>.conf to tell Apache to allow Koha (with Plack
> >     running) to
> >      >     authenticate via Shibboleth:
> >      >
> >      >         <Location />
> >      >           AuthType shibboleth
> >      >           Require shibboleth
> >      >           ShibUseEnvironment Off
> >      >           ShibUseHeaders On
> >      >         </Location>
> >      >
> >      >     Replacing "kohaserver.yourdomain.example.com
> >     <http://kohaserver.yourdomain.example.com>
> >      >     <http://kohaserver.yourdomain.example.com
> >     <http://kohaserver.yourdomain.example.com>>" with the actual domain
> I
> >      >     tried all sorts of configuration but all I ever get is just
> the
> >      >     following message instead of the expected XML:
> >      >
> >      >        Sorry, the requested page is not available
> >      >        Error 404
> >      >
> >      >     What may be the cause for this? Is maybe the directory/file
> >      >     "Shibboleth.sso/Metadata" not existing, but how to create it?
> >      >
> >      >     Best wishes: Michael
> >      >     --
> >      >     Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg.
> >     Fachausweis
> >      >     Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
> >      >     T 0041 (0)61 261 55 61 · E mik at adminkuhn.ch
> >     <mailto:mik at adminkuhn.ch>
> >      >     <mailto:mik at adminkuhn.ch <mailto:mik at adminkuhn.ch>> · W
> >     www.adminkuhn.ch <http://www.adminkuhn.ch> <http://www.adminkuhn.ch
> >     <http://www.adminkuhn.ch>>
> >      >     _______________________________________________
> >      >
> >      >     Koha mailing list http://koha-community.org
> >     <http://koha-community.org> <http://koha-community.org
> >     <http://koha-community.org>>
> >      > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> >     <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
> >      >     Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> >     <https://lists.katipo.co.nz/mailman/listinfo/koha>
> >      >     <https://lists.katipo.co.nz/mailman/listinfo/koha
> >     <https://lists.katipo.co.nz/mailman/listinfo/koha>>
> >      >
> >
> >
>
>
> _______________________________________________
>
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>


More information about the Koha mailing list