Jitsi Meet (Web) with Shibboleth and Jitsi App (android or ios) with Ldap

Hi,
i’ve configured already a working version of jitsi meet with shibboleth.
But i also like to have the jitsi app (i’m using android) with authentication (to ldap/ad).
The app is working if the conference is already been initiated but by the app i can’t initiat an new one.
Oviously the user can not login.
Do you have any ideas to get this scenario working?
Thanks,
Jens

2 Likes

Same here. App not usable to create rooms if shibb auth is enabled.

1 Like

Hi,
i’ve tried to add an aditional vhost for example mobile.jitsi.example.com and created certs and mapped authentication to ldap2. I also placed an working ldap.conf.lua.
The authentication seems to be working (prosody.log):

info Authenticated as username@mobile.jitsi.example.com
info BOSH client disconnected: session close

But I think the jicofo part with the

org.jitsi.jicofo.auth.URL=shibboleth:default

makes it hard to login.
Thanke,
Jens

I have the same issue. Opened https://github.com/jitsi/jitsi-meet/issues/6391

Hi Jens,

Any recommendations on instructions to get Jitsi + Shibboleth SSO working?

Regards,
ANx

I have Jitsi working with LDAP auth. Now I’m trying to get Keycloak(idP)/Shibboleth(SP) SSO working.

apache(internet)—> apache(LAN)—> jitsi(jetty)

apache(LAN) and jitsi(jetty) are the same machine

[/etc/jitsi/jicofo/sip-communicator.properties]

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.domain.net
org.jitsi.jicofo.auth.URL=XMPP:jitsi.domain.net
org.jitsi.jicofo.auth.URL=shibboleth:default
org.jitsi.jicofo.auth.LOGOUT_URL=shibboleth:default

[/etc/apache2/sites-enabled/jitsi.domain.net.conf]

<Location /login>
AuthType shibboleth
Require valid-user
Sethandler shib
ShibUseHeaders On
ShibRequestSetting requireSession On
ShibRequestSetting redirectToSSL 443
RequestHeader set mail “%{mail}s”
RequestHeader set displayName “%{uid}s”
ProxyPass http://localhost:8888/login
ProxyPassReverse http://localhost:8888/login

Maybe I don’t know what to expect, but after accessing https://jitsi.domain.net/login, it will redirect me to Keycloak login page and then redirect back to jitsi, but I will still see the ‘I’m the host’ pop-up. When click it and provided the username/password, it will fail with connection.GET_SESSION_ID_ERROR.

It was my expectation that I should not see ‘I’m the host’ pop-up after successfully authenticated to idP.

I believe the mail and displayName headers are not reaching jetty…

Help much appreciated.
ANx

Sorry for not responding directly, but i will.

1 Like

My apache conf looks like this:

  <Location /login>
    AuthType shibboleth
    ShibRequestSetting requireSession true
    ShibUseHeaders On
    Require valid-user
    SetHandler shib
    ProxyPass http://localhost:8888/login
    ProxyPassReverse http://localhost:8888/login
  </Location>

I hope your shibboleth config is working well?

You can not use two auth.URL in sip-communicator.properties only one will work.
That is why i’ve opened this topic. :wink:

The behavior is a bit unexpected if you are the first one (the one person who opens the meeting) than you will be redirected to the login page and need to auth (or already been auth). Than you’ll get to an blank page with another redirect to your meeting.

But only on the web-page. It doesn’t work with the client.

There is also no need to configure ldap in prosody because the shib-plugin will not use that.

I’ve configured at my VirtualHost “jitsy.domain.net” the authentication to “anonymous”.

I hope, you can understand my message.

Regards,
Jens

Hi Jens,

Thank you so much for your time.

I’ve made the changes according to your suggestion, including only one auth.URL - this was silly from my end:

/etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsy.domain.net
org.jitsi.jicofo.auth.URL=shibboleth:default
org.jitsi.jicofo.auth.LOGOUT_URL=shibboleth:default

/etc/apache2/sites-enabled/jitsy.domain.net.conf

...
  <Location /login>
    AuthType shibboleth
    ShibRequestSetting requireSession On
    ShibUseHeaders On
    Require valid-user
    Sethandler shib
    ProxyPass http://localhost:8888/login
    ProxyPassReverse http://localhost:8888/login
  </Location>
...

Restarted relevant services…

service shibd restart; service jicofo restart; service apache2 restart

NOTE1) My LDAP was already in place before I started the efforts to have SSO. I’m assuming that leaving it as it is should not conflict with what I’m trying to achieve right?

NOTE2) The displayName is not among the variables retrieved from my idP, that why I was injecting it with RequestHeader set displayName "%{uid}s" before redirecting to http://localhost:8888/login. Removed now…

Unfortunately, the behaviour is the same:

  1. Navigate to https://jitsi.domain.net/login
  2. Redirected to Keycloak login
  3. After successful login, I’m being redirected back to https://jitsi.domain.net/login - it looks like I’m attending a meeting called login
  4. If I click on I'm the host button and supply valid username/password, I will get that same error: connection.GET_SESSION_ID_ERROR

Any more suggestions?

Thanks in advance for your patience
ANx

Do you set the REMOTE_USER variable in shib?

Yes, I did

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
      clockSkew="180">

    <ApplicationDefaults entityID="jitsi.domain.net"
        REMOTE_USER="mail"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">

	    <SSO entityID="https://sso.domain.net/auth/realms/family">SAML2</SSO>

	    <Logout>SAML2 Local</Logout>

	    <Handler type="MetadataGenerator" Location="/Metadata" signing="true"/>

            <Handler type="Status" Location="/Status"/>

            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>

	<MetadataProvider type="XML" validate="true" url="https://sso.domain.net/auth/realms/family/protocol/saml/descriptor"/>

	<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

	<AttributeResolver type="Query" subjectMatch="true"/>

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <CredentialResolver type="File" key="shibb-signing.key" certificate="shibb-signing.crt"/>

    </ApplicationDefaults>

    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

here the first part of my meet.domain.net.cfg.lua in /etc/prosody/conf.d

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

network_backend = "epoll";

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meet.domain.net";

turncredentials_secret = "secret";

turncredentials = {
  { type = "stun", host = "meet.domain.net", port = "443" },
  { type = "turn", host = "meet.domain.net", port = "443", transport = "udp" },
  { type = "turns", host = "meet.domain.net", port = "443", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;

VirtualHost "meet.domain.net"
        -- enabled = false -- Remove this line to enable this host
        authentication = "anonymous"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.domain.net.key";
                certificate = "/etc/prosody/certs/meet.domain.net.crt";
        }
        speakerstats_component = "speakerstats.domain.net"
        conference_duration_component = "conferenceduration.meet.domain.net"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }
        c2s_require_encryption = false

I don’t know if keeping ldap in place will work. If you can please try to not use the ldap auth in prosody.

I thing if prosody is trying to auth against ldap i didn’t get the credentials from shib

Also you should first call a new meeting like https://jitsi.domain.net/testmeeting or something like that and than click on i’m the host.

Remove ldap config and authentication = "anonymous"

If I remember correctly the displayName and mail attributes aren’t mapped to the variables in jitsy.

And?

don’t forget to restart prosody :wink:
service restart prosody

Made the changes under /etc/prosody/conf.d and restarted all services as before and now prosody as well

:frowning: still prompting for username and password after clicking I’m the host. After supplying username and password, I’m now getting invalid username/password.

So you are saying that displayName and mail should not have any special treatment before redirect?

With the displayName and mail attribute i don’t know the actual status.
But there some reports like: https://github.com/jitsi/jitsi-meet/issues/5018
that seems they are still open