grouper-users - Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy
Chronological Thread
- From: "Waldbieser, Carl" <>
- To: Shaun Koh <>
- Cc:
- Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy
- Date: Wed, 1 Jun 2016 14:53:10 -0400 (EDT)
Shaun,
I found that I had to remove a bunch of "security-role" elements from the
`web.xml` file in my grouper WAR file. After the last "servlet-mapping"
element, I just have this "security-role":
<security-role>
<description>
The role that is required to log in to the Grouper UI
</description>
<role-name>*</role-name>
</security-role>
I then set the the `grouper.ui.authentication.http.header` property to
REMOTE_USER.
We also proxy behing Nginx. I found out that nginx strips headers that have
underscores in them. This will unfortunately strip out the OWASP_CSRF header
that Grouper uses to protect against cross-site request-forgery attacks. To
tell nginx to allow headers with underscores, add the following to
/etc/nginx/nginx.conf in the http section:
underscores_in_headers on;
We are running Grouper v2.2.2.
Hope that helps!
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "Shaun Koh"
<>
To:
Sent: Wednesday, June 1, 2016 4:48:26 AM
Subject: [grouper-users] [Grouper UI] - Assistance required authenticating
via Shibboleth reverse proxy
Hi there,
I am trying to protect the Grouper UI with our SSO service (Shib) that
reverse proxies HTTP requests to our Grouper instance on a separate host.
To date, I haven't had much success getting this to work with Grouper as the
docs available seem to be pointed at AJP based approaches which we do not use
at our institute.
There were a couple of mailing list entries such as
https://lists.internet2.edu/sympa/arc/grouper-users/2014-10/msg00037.html
that seem to address this however did not contain a clear solution or
confirmation as to what really worked.
I am aware that there is a ` grouper.ui.authentication.http.header` attribute
you can set in grouper-ui.properties that was added in for this purpose
however setting that to a request header passed from SSO did not seem to do
anything.
- i.e. I still get an error on the UI: You have an anonymous session
since you are not logged in, but this section requires you to be logged in.
Maybe No username found. Your identity provider might not be sending your
username to this application. Either you need to use a different identity
provider, or ask your IT department to send your username to this application.
Also, I can ensure that a record of my institutional id being passed from SSO
exists in the `subjectId` column of the `subject` table in the Grouper DB and
is retrievable by running SubjectFinder.findById("$subjectId") in the shell.
It would be great if someone could provide a solution/set-up that worked for
you or perhaps to point out if I am missing some config to set ? (e.g. do I
have to edit sources.xml ?)
Thank you,
Shaun K.
- [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shaun Koh, 06/01/2016
- Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Waldbieser, Carl, 06/01/2016
- <Possible follow-up(s)>
- Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shilen Patel, 06/01/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Hyzer, Chris, 06/01/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shaun Koh, 06/02/2016
- Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shilen Patel, 06/02/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shaun Koh, 06/02/2016
- Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shilen Patel, 06/02/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shaun Koh, 06/02/2016
- Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shilen Patel, 06/02/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Shaun Koh, 06/02/2016
- RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy, Hyzer, Chris, 06/01/2016
Archive powered by MHonArc 2.6.16.