shibboleth problem on one host

I have 3 hosts where I'm trying to set up shibboleth and nuxeo; -dev, -stg, and production.

It works on -dev and -stg, it does not work on production. On production, it looks like it is doing something similar to a report last October where nuxeo is not able to pick up the shibboleth information from the request and end up in an endless loop.

DNS difference between -dev/-stg and production

nuxeo-dev.example.org and nuxeo-stg.example.org are DNS A records to the IP address of the VM.

nuxeo.example.org, my production VM, is a DNS CNAME to xyz-nuxeo-p01.example.edu. This is the only difference I can see between production and the other environments. Production is run by a different group, and getting them to change the DNS setup to match -dev/-stg is not an option.

when it fails

If I turn up log4j.xml org.nuxeo.ecm.platform.ui.web.auth to TRACE; on production I see:

2013-10-14 20:25:50,610 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin SHIB_AUTH
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin BASIC_AUTH
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache

or

Entering Nuxeo Authentication Filter
Principal not found inside Request via getUserPrincipal
Try getting authentication from cache
Trying to retrieve userIdentification using plugin SHIB_AUTH
Trying to retrieve userIdentification using plugin BASIC_AUTHuser/password not found in request, try into identity cache

when it works

When it works (tar'ing up the same exact files onto -dev or -stg) the

show something like this:

Entering Nuxeo Authentication Filter
Principal not found inside Request via getUserPrincipal
Try getting authentication from cache
Trying to retrieve userIdentification using plugin SHIB_AUTH
[ShibbolethAuthenticationPlugin] Failed to get or create user entry
           ... java.lang.NullPointerException ...
User/Password found as parameter of the request
Exit Nuxeo Authentication filter
Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal
Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin
Principal = Brian.T@example.org
Exit Nuxeo Authentication filter
Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal
Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin
Principal = Brian.T@example.org
Exit Nuxeo Authentication filte

what I've tried

  • I've tried to edit the server.xml for tomcat so that host=nuxeo.example.org
  • I've tried to set nuxeo.url=http://nuxeo.example.org:8080/nuxeo
  • I've tried to set RequestHeader append nuxeo-virtual-host "https://myDomainName/" and turn ProxyPreserveHost On
  • tested on 5.6, 5.7.2, and 5.7.3

what next?

I'm not sure what to try next. Could the DNS issue be a red herring? What could account for this different behaviour?

0 votes

1 answers

1060 views

ANSWER

You should try to see if the http header is not stripped or removed by any network stuff.
10/15/2013



with netcat I've confirmed missing headers from the upstream apache

netcat -vv -l 0.0.0.0 -p 8080
...
Shib-AuthnContext-Decl: 
Shib-Assertion-Count: 
eppn: 
affiliation: 
unscoped-affiliation: 
entitlement: 
targeted-id: 
persistent-id: 
mail: 
Shib-Application-ID: default
REMOTE_USER: 
...

Seems to be a problem with my IdP. https://nuxeo.example.org/Shibboleth.sso/Session shows no attributes passed.

UPDATE: my IdP confirmed the filter rules were wrong and that they are not sending me the attributes.

0 votes