Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy


Chronological Thread 
  • From: Shilen Patel <>
  • To: Shaun Koh <>, "" <>
  • Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy
  • Date: Wed, 1 Jun 2016 17:32:05 +0000
  • Accept-language: en-US
  • Authentication-results: auckland.ac.nz; dkim=none (message not signed) header.d=none;auckland.ac.nz; dmarc=none action=none header.from=duke.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

I think if you turn debug logging on, it will log some useful information.  It will tell you if it is looking for your header and whether it found a value.  That would at least tell you if the problem has to do with getting the header to grouper or if it's afterwards (e.g. in the sources.xml configuration).  If you wouldn't mind turning debug logging on and sending the results..  Maybe also your proxy configuration.

Thanks!

- Shilen

From: Shaun Koh <>
Date: Wednesday, June 1, 2016 at 4:48 AM
To: "" <>
Subject: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

Hi there,

 

I am trying to protect the Grouper UI with our SSO service (Shib) that reverse proxies HTTP requests to our Grouper instance on a separate host.

 

To date, I haven’t had much success getting this to work with Grouper as the docs available seem to be pointed at AJP based approaches which we do not use at our institute.

 

There were a couple of mailing list entries such as https://lists.internet2.edu/sympa/arc/grouper-users/2014-10/msg00037.html that seem to address this however did not contain a clear solution or confirmation as to what really worked.

 

I am aware that there is a ` grouper.ui.authentication.http.header` attribute you can set in grouper-ui.properties that was added in for this purpose however setting that to a request header passed from SSO did not seem to do anything.

-          i.e. I still get an error on the UI: You have an anonymous session since you are not logged in, but this section requires you to be logged in. Maybe No username found. Your identity provider might not be sending your username to this application. Either you need to use a different identity provider, or ask your IT department to send your username to this application.

 

Also, I can ensure that a record of my institutional id being passed from SSO exists in the `subjectId` column of the `subject` table in the Grouper DB and is retrievable by running SubjectFinder.findById("$subjectId") in the shell.

 

It would be great if someone could provide a solution/set-up that worked for you or perhaps to point out if I am missing some config to set ? (e.g. do I have to edit sources.xml ?)

 

Thank you,

Shaun K.




Archive powered by MHonArc 2.6.16.

Top of Page