Shibboleth authentication not triggered by jicofo

Hi,

we are running a Jitsi system which needs authentication for creation of the rooms. We used until now dedicated local accounts. But want to access an AD. We tested ldap2 and it worked, but created a lot effort for the network connection. We decided to give SAML a try.

I set up a new single small test system from ground with the last jitsi version. And configured the login. Worked without any problem. Then I used the documentation https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md to set up shibboleth. After some small changes in the nginx config, because the regular expression priority was too low, I was able to handle the Metadatafiles in both directions and connect and login into the IdP by using /login or /Shibboleth.sso/Login.

Then I tried it with jitsi and it did not work. The result was exactly the same as described here https://community.jitsi.org/t/struggling-with-shibboleth-auth-in-update-2-0-5765/97824. If I press the button in the login Box. I get the try to connect message and that’s it. I do not see any connection over nginx to login over shibboleth into the IdP. And quite clear also no transaction in Shibboleth. I saw also a lot of focus requests. As mentioned exactly the same behaviour as described in the linked problem, but if I understand it right this has been fixed long time ago.

jicofo.conf

jicofo.txt (548 Bytes)

jicofo Sip-communicator

sip-communicator.txt (148 Bytes)

Prosody config

test.de.cfg.txt (4.8 KB)

I didn’t change a lot in the Jitsi config. I expect that I missed something. Any help would be really appreciated

@Damien_FETIS have you been testing latest releases, is shibboleth working?

@Midon My advice is to use jwt tokens, you can have any authentication that will produce a token which you can use to pass it to the iframeAPI. This is the method we use, and is the one being tested regularly and cannot break. Unfortunately, code paths as secure domain and shibboleth rott and we break them from time to time as we do not use them in our environments.

Hi @damencho , the last stable version of JItsi (2.0.6726-1) works well with the Shibboleth authentification.

@Midon looks at your shibboleth log when you try your auth. By default the first nginx request to the Shibboleth SP the is not logged in the access.log.
You can also use the “SAML-Tracer” browser extension to record the SAML request made by your browser to see where you have an issue in your auth process.
But the @damencho advice to use the JWT token and the iframe API is a very good advice (it’s also the advice of Emil in this recent community call : Jitsi Community Call - YouTube ).
If you really want to use SAML you can put a SAML service provider in front of your JWT token server.

Regards,
Damien

1 Like

@damencho @Damien_FETIS Many thanks for your suggestions. Will discuss this with the guys from AD.