Hello everyone
I have installed an indico server (the latest version) for an international graduate school at my university. Everything is working fine using the local LDAP authentication, but i need to access the French RENATER EduGAIN shibboleth as a SP provider.
Following the documentation, I have configured both the Apache shibboleth module and the indico.
I can connect to the RENATER discovery, select my university and login with my university ID, but when I get back to indico, I received Login Failed: no valid data received , and in indico.log
ERROR b68002ab64ae4bcf - indico.auth Authentication via shib-sso failed: No valid data received (None)
In the log file of Apache shibboleth : transaction.log I got
2023-11-19 18:01:22|Shibboleth-TRANSACTION.AuthnRequest|||urn:mace:cru.fr:federation:univ-lyon1.fr||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect||||||
2023-11-19 18:01:47|Shibboleth-TRANSACTION.Login|2747@univ-lyon1.fr|_201ad4d23828f016c46d5f49f85e1e15|urn:mace:cru.fr:federation:univ-lyon1.fr|_56c52975e8831bfeed5757dc19510529|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2023-11-19T18:01:39|eppn(1),givenName(1),mail(1),sn(1)|AAdzZWNyZXQxmjjedYmsGkBRB00p1XewbBqPZEwCvlzjqMXaek/Q7cBajAnxnTyBifRtC/Kv0XiWbMJpUQrxEOvib4IyRgbcUqQ8/p11s5lL/7x/uXDw1Er8ZLMn0voIFItWSZMBt1JWFoKcxMXN+wBYuRsXFy1gQF8jYOg6H5ypoXokSaU=|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36|172.29.16.183
As the status is success, it seems that the authentication with Apache-shibboleth works.
So the problem seems to be between Apache shibboleth and indico
My indico.conf is
# LDAP et SSO (default LDAP)
AUTH_PROVIDERS = {
'ldap': {
'type': 'ldap',
'title': 'Compte Lyon1 (LDAP)',
'ldap': _ldap_config,
'default': True
},
'shib-sso': {
'type': 'shibboleth',
'title': 'Autre établissement (eduGAIN)',
'attrs_prefix': 'ADFS_',
'callback_uri': '/login/shib-sso/shibboleth',
# 'logout_uri': 'https://login.yourcompany.tld/logout'
}
}
IDENTITY_PROVIDERS = {
'ldap': {
'type': 'ldap',
'title': 'LDAP',
'ldap': _ldap_config,
'mapping': {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
#'affiliation': 'company',
#'phone': 'telephoneNumber'
},
'affiliation': 'Université Claude Bernard Lyon 1',
'trusted_email': True,
#'synced_fields': {'first_name', 'last_name', 'affiliation', 'phone', 'address'}
'synced_fields': {'first_name', 'last_name'}
},
'shib-sso': {
'type': 'shibboleth',
'title': 'SSO',
#'identifier_field': 'ADFS_LOGIN',
'mapping': {
#'first_name': 'ADFS_GIVENNAME',
#'last_name': 'ADFS_SN',
#'email': 'ADFS_MAIL',
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
#'affiliation': 'eduPersonScopedAffiliation',
# 'phone': 'ADFS_PHONENUMBER'
},
'trusted_email': True,
#'synced_fields': {'first_name', 'last_name'}
}
}
Any help will be highly appreciated
Marc
PS: i have read an old discussion by mbile in the administrators section at Jan 2021, but it does not help .