[Koha] Fwd: Koha and Shibboleth

Michael Kuhn mik at adminkuhn.ch
Fri May 7 20:31:47 NZST 2021


Hi Joel and Chris

Thanks for your messages!

As Chris pointed out <Location /> is correct - it is saying that the 
location is / (i. e. the entire site) and this wasn't the the cause of 
the 404 message indeed.

So the following Apache configuration (according to 
https://perldoc.koha-community.org/C4/Auth_with_shibboleth.html ) 
actually does work with Koha 20.11 running Plack:

   <Location />
     AuthType shibboleth
     Require shibboleth
     ShibUseEnvironment Off
     ShibUseHeaders On
   </Location>

Shibboleth accesses the XML file using a URL like 
https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata and 
misled by the https I had the following configuration in my file 
"shibboleth2.xml"

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" 
checkAddress="false" handlerSSL="true" cookieProps="https">

This was wrong because in my case HTTPS/SSL is not configured on the 
Koha host in its Apache configuration (which has only entries for HTTP 
*:80 and HTTP *:8080) but on the entry host. So the correct 
configuration is the following

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" 
checkAddress="false" handlerSSL="false" cookieProps="http">

So I'll get the following warnings and will have to live with it for the 
time being:

$ sudo shibd -t
2021-05-06 23:43:07 WARN Shibboleth.Application : insecure cookieProps 
setting, set to "https" for SSL/TLS-only usage
2021-05-06 23:43:07 WARN Shibboleth.Application : handlerSSL should be 
enabled for SSL/TLS-enabled web sites
overall configuration is loadable, check console or log for non-fatal 
problems

I only found this out when completely rebuilding my configuration from 
zero. After inserting every new directive I stopped/started both shibd 
and apache2, checked with "shibd -t" and tried to access the XML file 
via https://kohaserver.yourdomain.example.com/Shibboleth.sso/Metadata

Best wishes: Michael
-- 
Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
T 0041 (0)61 261 55 61 · E mik at adminkuhn.ch · W www.adminkuhn.ch



Am 06.05.21 um 22:53 schrieb Coehoorn, Joel:
> On my working system which uses shibboleth, the Location element is
> defined inside the appropriate VirtualHosts, and looks like this:
>
> <Location />
> # ShibRequest Setting applicationId catalog.york.edu
> <http://catalog.york.edu>
>     Authtype shibboleth
>     ShibRequireSession Off
>     Require shibboleth
> </Location>
>
> Yes, ShiRequest really is commented out, and it does seem like the "/"
> character is the opening <Location /> element is wrong and should
> immedately close the element. I'm actually not sure what's going on
> there as I look at it, but if it were wrong I'd expect apache to not
> even run when it tries to parse the </Location> line a few lines later.
>
> For context, I have 4 VirtualHost entries: one each for HTTP *:80 and
> HTTPS *:443 for both OPAC and staff. We use SSO for both OPAC and staff.
> I have the Location element listed inside both HTTPS *:443 virtual
> hosts. The HTTP *:80 hosts only have enough to force a redirect to the
> corresponding HTTPS *:443 location. We are not using plack.
>
> The main thing I can see is, if you can already download the xml
> metadata, and it looks correct, I would leave it out. Whaver apache
> needs to configure this, if you can download the file it already has it.
>
> Joel Coehoorn
> Director of Information Technology
> York College of Nebraska



Am 06.05.21 um 23:28 schrieb Chris Cormack:
> Kia ora
>
> Location / is right
>
> It's not closing the tag its saying location is / ie the entire site.
> Location is relative to the site, not to be confused with Directory
> which is to do with the file structure on the server.
>
> So this will not be the cause of the 404
>
> Our running instances look like Joel's too.
>
> Chris



> On Thu, May 6, 2021 at 2:57 PM Michael Kuhn <mik at adminkuhn.ch
> <mailto:mik at adminkuhn.ch>> wrote:
>
> Hi Alvaro
>
> Thanks for the hint, but <Location /var/lib/koha/<INSTANCE>/ > isn't
> working either. Besides there is some caching going on (Memcache,
> Plack,
> Mojolicious) that complicates things a lot.
>
> I think there is some important information missing in
> https://wiki.koha-community.org/wiki/Shibboleth_Configuration
> <https://wiki.koha-community.org/wiki/Shibboleth_Configuration>
>
> Maybe it even has something to do with the new caching introduced in
> recent Koha versions?
>
> Is anyone successfully running Shibboleth with Koha 20.11 (running
> Plack) - and if yes, what does your directive "Location" look like?
>
> Best wishes: Michael
> --
> Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
> Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
> T 0041 (0)61 261 55 61 · E mik at adminkuhn.ch
> <mailto:mik at adminkuhn.ch> · W www.adminkuhn.ch <http://www.adminkuhn.ch>


More information about the Koha mailing list