we want to implement shibboleth authentication using apache as the webserver.
The shibboleth part is working, the client gets authenticated by the IDP.
When I get redirected to
/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=malevolentdolphinsterminateimpolitely@conference.{mydomain}&close=false
I get a 404 not found page from Jetty.
Apache config should be fine since shibboleth is working and apache gets a response from the proxied Jetty.
Could you please help troubleshoot this? I will provide the necessary logs.
Jicofo 2020-03-06 11:42:26.018 FINE: [26] org.eclipse.jetty.server.Server.handle() REQUEST GET /login/ on HttpChannelOverHttp@1c7141dd{r=1,c=false,c=false/false,a=DISPATCHED,uri=//{ourdomain}/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=nervousgorillasfragmenthysterically@conference.{ourdomain}&close=false,age=7}
Jicofo 2020-03-06 11:42:26.018 FINE: [26] org.eclipse.jetty.server.handler.ContextHandler.doScope() scope null||/login/ @ o.e.j.s.ServletContextHandler@70de6594{/,null,AVAILABLE}
Jicofo 2020-03-06 11:42:26.019 FINE: [26] org.eclipse.jetty.server.handler.ContextHandler.doScope() context=||/login/ @ o.e.j.s.ServletContextHandler@70de6594{/,null,AVAILABLE}
Jicofo 2020-03-06 11:42:26.019 FINE: [26] org.eclipse.jetty.servlet.ServletHandler.doScope() servlet ||/login/ -> org.glassfish.jersey.servlet.ServletContainer-5e6a026@15842c8b==org.glassfish.jersey.servlet.ServletContainer,jsp=null,order=-1,inst=true,async=true
Jicofo 2020-03-06 11:42:26.020 FINE: [26] org.eclipse.jetty.servlet.ServletHandler.doHandle() chain=null
Jicofo 2020-03-06 11:42:26.055 FINE: [26] org.glassfish.jersey.server.ServerRuntime$Responder.mapException() WebApplicationException (WAE) with no entity thrown and no ExceptionMappers have been found for this WAE. Response with status 404 is directly generated from the WAE.
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:250)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:392)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:365)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:318)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
Jicofo 2020-03-06 11:42:26.064 FINE: [26] org.eclipse.jetty.server.HttpChannel.sendResponse() sendResponse info=null content=DirectByteBuffer@6cc7b8f6[p=0,l=323,c=32768,r=323]={<<<\n\n<me…/body>\n\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00…\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00} complete=true committing=true callback=Blocker@13c209db{null}
Jicofo 2020-03-06 11:42:26.064 FINE: [26] org.eclipse.jetty.server.HttpChannel.commit() COMMIT for /login/ on HttpChannelOverHttp@1c7141dd{r=1,c=true,c=false/false,a=DISPATCHED,uri=//meet.{ourdomain}/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=nervousgorillasfragmenthysterically@conference.meet.{ourdomain}&close=false,age=53}
404 Not Found HTTP/1.1
No help from our side, but we are experiencing exactly the same. I have used the stable version (Jicoco 508) and based on this https://github.com/jitsi/jicofo/issues/404 issue, we upgraded to nightly (524). The error persists (and the redirect URL seems to be mangled with some commented out stuff).
I can confirm that downgrading to 2019-08 debian packages worked.
Here is the apache config for shibboleth in case someone is looking for it.
<Location /login>
AuthType shibboleth
ShibRequestSetting requireSession true
ShibUseHeaders On
Require valid-user
SetHandler shib
ProxyPass http://localhost:8888/login
ProxyPassReverse http://localhost:8888/login
not sure, if this is the same problem, but I get a 404 on /login after authenticated by our Shibboleth IDP too.
My nginx config:
server {
listen 443 ssl;
server_name testdomain.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers .....
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/nginx/ssl/testdomain_com.crt;
ssl_certificate_key /etc/nginx/ssl/testdomain_com.key;
root /usr/share/jitsi-meet;
ssi on;
index index.html index.htm;
error_page 404 /static/404.html;
location = /config.js {
alias /etc/jitsi/meet/testdomain.com-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
# Shibboleth
location = /shibauthorizer {
internal;
include fastcgi_params;
fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
}
location /Shibboleth.sso {
include fastcgi_params;
fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
}
location /shibboleth-sp {
alias /usr/share/shibboleth/;
}
# Login location where Jicofo servlet is running
location /login {
shib_request_use_headers on;
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
shib_request /shibauthorizer;
proxy_pass http://127.0.0.1:8888;
}
}
system is ubuntu 18.04 LTS:
ii jitsi-meet 1.0.4101-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.3729-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.3729-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.3729-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 1126-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)
ii nginx 1.16.1-1~bionic amd64 high performance web server
ii nginx-module-headersmore 1.16.1-1~bionic amd64 nginx headersmore dynamic module
ii nginx-module-shibboleth 1.16.1-1~bionic amd64 nginx shibboleth dynamic module
Setting shib_request_use_headers on; didn’t help in my case.
I downgraded only jicofo deb package to version 1.0-481-1, not the other jitsi debian packages like jitsi-meet, jitsi-meet-prosody, jitsi-meet-web*, jitsi-videobridge. Would that be stable or do I have to downgrade each of them?
dpkg -l | grep ji
ii jicofo 1.0-567-1 all JItsi Meet COnference FOcus
but I am getting a 500 error
## HTTP ERROR 500
Problem accessing /login/. Reason:
Attribute 'mail' not provided - check server configuration
[Powered by Jetty:// 9.4.15.v20190215](http://eclipse.org/jetty)
any help will be greatly appreciate it.
nginx conf
server {
listen 443 ssl;
server_name jitsi-meet.MYDOMAIN.com;
include /config/nginx/ssl.conf;
include /config/nginx/meet.conf;
It was my problem I wasn’t mapping the attributes correctly in shibboleth.
Now that I mapped the attributes, if i go to a room as a logged out user and clikc “i am the host” I get a plain error 500.
if I login manually with the link jitsi-meet.mydomain.com/Shibbolleth.sso/Login, and then go to a room and click I am the host, it works