shibboleth problem on one host
I have 3 hosts where I'm trying to set up shibboleth and nuxeo; -dev, -stg, and production.
It works on -dev and -stg, it does not work on production. On production, it looks like it is doing something similar to a report last October where nuxeo is not able to pick up the shibboleth information from the request and end up in an endless loop.
DNS difference between -dev/-stg and production
nuxeo-dev.example.org
and nuxeo-stg.example.org
are DNS A
records to the IP address of the VM.
nuxeo.example.org
, my production VM, is a DNS CNAME
to xyz-nuxeo-p01.example.edu
. This is the only difference I can see between production and the other environments. Production is run by a different group, and getting them to change the DNS setup to match -dev/-stg is not an option.
when it fails
If I turn up log4j.xml
org.nuxeo.ecm.platform.ui.web.auth to TRACE; on production I see:
2013-10-14 20:25:50,610 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter 2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal 2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin SHIB_AUTH 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin BASIC_AUTH 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
or
Entering Nuxeo Authentication Filter Principal not found inside Request via getUserPrincipal Try getting authentication from cache Trying to retrieve userIdentification using plugin SHIB_AUTH Trying to retrieve userIdentification using plugin BASIC_AUTHuser/password not found in request, try into identity cache
when it works
When it works (tar'ing up the same exact files onto -dev or -stg) the
Entering Nuxeo Authentication Filter Principal not found inside Request via getUserPrincipal Try getting authentication from cache Trying to retrieve userIdentification using plugin SHIB_AUTH [ShibbolethAuthenticationPlugin] Failed to get or create user entry ... java.lang.NullPointerException ... User/Password found as parameter of the request Exit Nuxeo Authentication filter Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin Principal = Brian.T@example.org Exit Nuxeo Authentication filter Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin Principal = Brian.T@example.org Exit Nuxeo Authentication filte
what I've tried
- I've tried to edit the
server.xml
for tomcat so that host=nuxeo.example.org - I've tried to set nuxeo.url=http://nuxeo.example.org:8080/nuxeo
- I've tried to set
RequestHeader append nuxeo-virtual-host "https://myDomainName/"
and turnProxyPreserveHost On
- tested on 5.6, 5.7.2, and 5.7.3
what next?
I'm not sure what to try next. Could the DNS issue be a red herring? What could account for this different behaviour?
with netcat I've confirmed missing headers from the upstream apache
netcat -vv -l 0.0.0.0 -p 8080 ... Shib-AuthnContext-Decl: Shib-Assertion-Count: eppn: affiliation: unscoped-affiliation: entitlement: targeted-id: persistent-id: mail: Shib-Application-ID: default REMOTE_USER: ...
Seems to be a problem with my IdP. https://nuxeo.example.org/Shibboleth.sso/Session
shows no attributes passed.
UPDATE: my IdP confirmed the filter rules were wrong and that they are not sending me the attributes.