-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with SSO authentication setup #255
Comments
just to test, you can try using this would confirm that the issue is with the shibboleth configuration/attribute mapping. |
Just to confirm, to test nginx property will be: proxy_set_header REMOTE_USER "hydrozyk"; in the / correct? |
yes, wherever you already have it, you can change the my guess here is that the issue comes from the mapping of the attribute, where you shibboleth provider is sending the username as some other variable and that the current shibboleth configuration doesn't map it correctly to the I have to admin I don't know much about that part of the authentication/configuration |
Yes that actually worked! Looks like no CSS styling but it did worked.
|
for the static files you can use in nginx:
and in docker-compose.yml (assuming your nemo static files are in the ./nemo/static folder from where your docker-compose.yml file is:
you'll need to run |
Great that seems to work! But now when I logout it try to modify users it erros out with:
Nemo log:
|
in settings.py, you should have: check that the first of the ALLOWED_HOSTS is "myhost.com", otherwise you can set it directly: |
That solved it! Going back to SSO auth. So if shibboleth works and I can login without any issues in to the /Shibboleth.sso/Login test page it could that something with the nemo app handling this remote_user string because that is where the problem is not Shibboleth but I might be missing something here. |
It looks like NEMO is handling it correctly when hardcoded in nginx. It works this way:
I think the issue is Your IT, who provided all the xml files, should be able to identify where the discrepancy is and either change it on their end or tell you where to change it in your xml files. |
Just got a word from them, they are mapping usernames fully-scoped (i.e. [email protected]) and that is their security policy I am told. I wonder if it can be remapped in shibboleth/attribute-map.xml to pass to nginx without the @myinstitution.edu? |
NEMO takes care of removing that if it is present, so I don't think that's the issue. |
Sorry could you elaborate more on this? Is your question about what Shibboleth module puts into the REMOTE_USER variable or name of the field? This is so that I can ask the IdP team the very specific question on this. Thanks |
When the header gets to NEMO, NEMO will strip out the domain if it's there. My question is what fields are being sent back after a user authenticates and what is the name of the field where the username is? Is it called "username" or "email" or anything else |
When I go to /Shibboleth.sso/Session I see 3 user attributes:
Is that what is needed? The field names? Is it possible to include test script in NEMO to print out the request headers? Something like that:
|
I also see the following attributes in attribute-map.xml
|
in shibboleth2.xml, try using:
|
Thanks for the update! I am getting this error now in NEMO image and wont log me in. |
anything in nginx's logs? |
also do you have a |
In nginx I see:
Which Shibb attribute exactly NEMO is looking for? |
attribute-map.xml has this:
Which Shibb attribute exactly NEMO is looking for? |
Got a word from IdP team that Okta sends the data in an XML document in the request body, and the user identifier is contained in an XML "Subject" element, in a sub-element called "NameID"
|
remove |
I removed it and left just the NEMO log:
I think the answer lays there somewhere, how to properly pass it to NEMO. What attribute is it looking exactly?
|
this means it will map the REMOTE_USER to "uid eppn subject-id pairwise-id persistent-id" in that order or preference. which I think means if uid isn't present it uses eppn etc. can you try putting |
Was there a way to see logs for shibboleth in nginx image or application? docker logs nginx just shows nginx logs. |
yes, |
All looks good here when I use /Shibboleth.sso/Login which means my IdP supplied configs are all working.
I feel that Nginx / location might be something to do with it. Was NEMO nginx/shibboleth tested with SSO? Any working configuration available for review? Because other than that I am not sure what it could be, would suspect a BUG since nothing else worked. Here is my nginx / location which does not seem to call SSO when go to https://myhost.com and it goes directly to NEMO.
|
A few facilities are using this successfully, including with OKTA. You can ask your IT what config you need to have the Shibboleth REMOTE_USER variable contain the username. Out of curiosity, what do you have in shibboleth2.xml in the |
Yes I can ask this but I need to know what exactly NEMO is looking for from shibboleth? Can you post a reference to that section of code or something? Or details code sample/example? I searched RequestMapper in shibboleth2.xml and do not see any entries for it or any references. eppn is what contains username [email protected] in shibboleth/attribute-map.xml
Because if I navigate to https://myhost.com/Shibboleth.sso/Session I see entry for it:
It is set as first option in shibboleth2.xml
|
Since I verified that Shibboleth works as expected(info above) I have a feeling that Nginx variable For "/" location Question remain on how to properly call this process in Nginx? |
I have this before the ApplicationDefaults section, maybe give it a try:
|
I suppose I could try but I am reading that "/" location is ignored. https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335006/HowToRequestMap ` <!-- Do NOT do this, it will be ignored! ` |
Tried the request mapper option but it crashes nginx-shib image.
|
this is the start of my shibboleth2.xml file: <SPConfig
xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<RequestMapper type="XML">
<RequestMap>
<Host name="nemo.stanford.edu"
authType="shibboleth"
requireSession="true"
redirectToSSL="443">
<Path name="/" />
</Host>
</RequestMap>
</RequestMapper> |
ah that might be why it's not working. I haven't updated the config files to shibboleth 3 so I don't know the difference. I am sorry but I don't think I can be much more helpful here. maybe someone in your IT department can take some time to look at all the configuration files and figure out a way to get it to work. Please keep us posted if you figure it out! |
Oh, OK you provide the image of 3.0 but have the docs for 2.0... that is something.... |
Also, there is problem in NEMO image when using PostgreSQL DB, looks like it can't load needed module.
|
you need to install psycopg2 |
I finally gave up on Nginx and set up Apache/Shibb docker image and that works just fine. Also, how do I set up email function in NEMO? Server is using postfix via relayhost relay.myhost.com, no authentication needed. |
You can just uncomment the lines in settings.py and replace the information: |
Thanks. Facing issue with emails for approvals, all clickable URLs within emails arriving as internal docker address of http://172.20.0.2:8000 instead of https://myapp.myhost.com I have the following in settings.py for ALLOWED_HOSTS, with .01 being Webserver and DB server
|
this is likely your proxy configuration. you can use something like this for apache:
|
Any idea what could be happening after switching to NEMO-ce version with URLS and isntalling plugins with docker-compose file and Docker image: "registry.gitlab.com/nemo-community/nemo-ce:6.0.24"
|
this looks all normal, there are no urls per se in NEMO-CE, the urls are directly included in NEMO. the nemo-ce app is just there to keep track of migrations that are not present in NEMO |
Wondering if anyone else had similar issue and to hopefully debug why it is happening.
I followed Docker-compose installation from here: https://github.com/usnistgov/NEMO/wiki/Docker-Compose-installation
Plus nanofab/nginx-shibboleth Docker image: https://hub.docker.com/r/nanofab/nginx-shibboleth for SSO authentication.
Shibboleth is working just fine with our institution IdP and I verified with https://myhost.com/Shibboleth.sso/Login https://myhost.com/Shibboleth.sso/Session login I get the session information so that is not the issue.
Running docker logs -f nemo reveals:
Problem seems to be with nginx passing SHIB_REMOTE_USER header to NEMO app.
Nginx logs show:
I followed https://hub.docker.com/r/nanofab/nginx-shibboleth nginx configuration but it still produces above NEMO error.
Nginx config snippet:
settings.py I snippet:
shibboleth2.xml is set to:
As well as attribute-map.xml:
<Attribute name="username" id="uid"/>
Any help getting this solved is much appreciated!
The text was updated successfully, but these errors were encountered: