https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318001#M5002 <P>You should try to see if the http header is not stripped or removed by any network stuff.</P> Tue, 15 Oct 2013 12:15:57 GMT Arnaud_Kervern 2013-10-15T12:15:57Z https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318000#M5001 <P>I have 3 hosts where I'm trying to set up shibboleth and nuxeo; -dev, -stg, and production.</P> <P>It works on -dev and -stg, it does not work on production. On production, it looks like it is doing something similar to <A href="http://answers.nuxeo.com/questions/4149/shibboleth-configuration">a report last October</A> where nuxeo is not able to pick up the shibboleth information from the request and end up in an endless loop.</P> <P>#DNS difference between -dev/-stg and production</P> <P><CODE>nuxeo-dev.example.org</CODE> and <CODE>nuxeo-stg.example.org</CODE> are DNS <CODE>A</CODE> records to the IP address of the VM.</P> <P><CODE>nuxeo.example.org</CODE>, my production VM, is a DNS <CODE>CNAME</CODE> to <CODE>xyz-nuxeo-p01.example.edu</CODE>. This is the only difference I can see between production and the other environments. Production is run by a different group, and getting them to change the DNS setup to match -dev/-stg is not an option.</P> <P>#when it fails</P> <P>If I turn up <CODE>log4j.xml</CODE> org.nuxeo.ecm.platform.ui.web.auth to TRACE; on production I see:</P> <PRE> 2013-10-14 20:25:50,610 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter 2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal 2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin SHIB_AUTH 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin BASIC_AUTH 2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache </PRE> <P>or</P> <PRE> Entering Nuxeo Authentication Filter Principal not found inside Request via getUserPrincipal Try getting authentication from cache Trying to retrieve userIdentification using plugin SHIB_AUTH Trying to retrieve userIdentification using plugin BASIC_AUTHuser/password not found in request, try into identity cache </PRE> <P>#when it works</P> <P>When it works (tar'ing up the same exact files onto -dev or -stg) the <A href="https://gist.github.com/tingletech/6986346">TRACE logs</A> show something like this:</P> <PRE>Entering Nuxeo Authentication Filter Principal not found inside Request via getUserPrincipal Try getting authentication from cache Trying to retrieve userIdentification using plugin SHIB_AUTH [ShibbolethAuthenticationPlugin] Failed to get or create user entry ... java.lang.NullPointerException ... User/Password found as parameter of the request Exit Nuxeo Authentication filter Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin Principal = Brian.T@example.org Exit Nuxeo Authentication filter Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin Principal = Brian.T@example.org Exit Nuxeo Authentication filte </PRE> <P>#what I've tried</P> <UL> <LI>I've tried to edit the <CODE>server.xml</CODE> for tomcat so that host=nuxeo.example.org</LI> <LI>I've tried to set nuxeo.url=http://nuxeo.example.org:8080/nuxeo</LI> <LI>I've tried to set <CODE>RequestHeader append nuxeo-virtual-host "https://myDomainName/"</CODE> and turn <CODE>ProxyPreserveHost On</CODE></LI> <LI>tested on 5.6, 5.7.2, and 5.7.3</LI> </UL> <P>#what next? I'm not sure what to try next. Could the DNS issue be a red herring? What could account for this different behaviour?</P> Tue, 15 Oct 2013 06:24:31 GMT https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318000#M5001 Brian_T 2013-10-15T06:24:31Z https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318001#M5002 <P>You should try to see if the http header is not stripped or removed by any network stuff.</P> Tue, 15 Oct 2013 12:15:57 GMT https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318001#M5002 Arnaud_Kervern 2013-10-15T12:15:57Z https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318002#M5003 <P>with netcat I've confirmed missing headers from the upstream apache</P> <PRE> netcat -vv -l 0.0.0.0 -p 8080 ... Shib-AuthnContext-Decl: Shib-Assertion-Count: eppn: affiliation: unscoped-affiliation: entitlement: targeted-id: persistent-id: mail: Shib-Application-ID: default REMOTE_USER: ... </PRE> <P>Seems to be a problem with my IdP. <CODE><A href="https://nuxeo.example.org/Shibboleth.sso/Session" target="test_blank">https://nuxeo.example.org/Shibboleth.sso/Session</A></CODE> shows no attributes passed.</P> <P>UPDATE: my IdP confirmed the filter rules were wrong and that they are not sending me the attributes.</P> Tue, 15 Oct 2013 20:03:40 GMT https://connect.hyland.com/t5/nuxeo-forum/shibboleth-problem-on-one-host/m-p/318002#M5003 Brian_T 2013-10-15T20:03:40Z