Struggling with Shibboleth auth in update 2.0.5765

snek · April 16, 2021, 3:19pm

In the latest release (2.0.5765) I struggle to get my shibboleth setup working, I am not sure if I am missing something but upon clicking “I am organisator” I dont get the expected redirect to SAML (or when already authenticated via a portal) but instead the “default” username/password prompt appears.

I moved to jicofo.conf in this version, but have the exact same issue when using the legacy sip-communicator.properties file

Shibboleth (shibd/supervisor/nginx etc) redirects/SAML works fine in 2.0.5390 so I would assume that part is still ok.

Maybe i am missing something in the config?

These are not the Debian Packages or Docker Setup but compiled as done in the past.

If i switch to other modes (pam authentication, anonymous or jwt) the setup works, so the bridge/jicofo/meet setup itself seems sane

jicofo.conf:

jicofo {
  authentication {
    enabled = true
    type = SHIBBOLETH
    login-url = "shibboleth:default"
    logout-url = "shibboleth:default"
    authentication-lifetime = 24 hours
    enable-auto-login = true
  }
  bridge {
    max-bridge-participants = -1
    max-bridge-packet-rate = 50000
    average-participant-packet-rate-pps = 500
    average-participant-stress = 0.01
    participant-rampup-interval = 20 seconds
    stress-threshold = 0.8
    failure-reset-threshold = 1 minute
    selection-strategy = RegionBasedBridgeSelectionStrategy
    health-checks {
      enabled = true
      interval = 30 seconds
      # retry-delay = 5 seconds
    }
    brewery-jid = "JvbBrewery@internal.auth.meet.example.com"
  }
  codec {
    video {
      vp8 {
        enabled = true
        pt = 100
        rtx-pt = 96
        enable-remb = true
      }
      vp9 {
        enabled = true
        pt = 101
        rtx-pt = 97
        enable-remb = true
      }
      h264 {
        enabled = true
        pt = 107
        rtx-pt = 99
        enable-remb = true
      }
    }
    audio {
      isac-16000 {
        enabled = true
        pt = 103
      }
      isac-32000 {
        enabled = true
        pt = 104
      }
      opus {
        enabled = true
        pt = 111
        minptime = 10
        use-inband-fec = true
        red {
          enabled = false
          pt = 112
        }
      }
      telephone-event {
        enabled = true
        pt = 126
      }
    }
    rtp-extensions {
      audio-level {
        enabled = true
        id = 1
      }
      tof {
        enabled = false
        id = 2
      }
      abs-send-time {
        enabled = true
        id = 3
      }
      rid {
        enabled = false
        id = 4
      }
      tcc {
        enabled = true
        id = 5
      }
      video-content-type {
        enabled = false
        id = 7
      }
      framemarking {
        enabled = false
        id = 9
      }
    }
  }
  conference {
    enable-auto-owner = true
    initial-timeout = 15 seconds
    inject-ssrc-for-recv-only-endpoints = false
    max-ssrcs-per-user = 20
    single-participant-timeout = 20 seconds
    min-participants = 2
    enable-lip-sync = false
    shared-document {
      use-random-name = false
    }
  }
  health {
    enabled = true
    interval = 10 seconds
    # The timeout for a health check
    timeout = 30 seconds
    # If performing a health check takes longer than this, it is considered unsuccessful.
    max-check-duration = 20 seconds
    # The prefix to use when creating MUC rooms for the purpose of health checks.
    room-name-prefix = "__jicofo-health-check"
  }
  jibri {
    # brewery-jid = "jibribrewery@example.com"
    num-retries = 5
    pending-timeout = 90 seconds
  }
  jibri-sip {
    # brewery-jid = "jibrisipbrewery@example.com"
  }
  jigasi {
    # brewery-jid = "jigasibrewery@example.com"
  }
  local-region="region1"
  octo {
    enabled = false
    id = "42"
  }
  rest {
    port = 8888
    tls-port = 8843
  }
  sctp {
    enabled = true
  }
  xmpp {
    client {
      enabled = true
      hostname = "meet.example.com"
      port = 5222
      domain = "meet.example.com"
      username = "focus"
      password = verysecure
      reply-timeout = 15 seconds
      conference-muc-jid = conference.meet.example.com
      disable-certificate-verification = false
      client-proxy = focus.meet.example.com
      use-tls = false
    }
    service {
      enabled = false
      hostname = "localhost"
      port = 6222
      #domain =
      #username =
      #password =
      reply-timeout = 15 seconds
      disable-certificate-verification = false
      use-tls = true
    }
  }
}

prosody:

plugin_paths = { "/data/prosody-plugins/" }
component_interface = "10.10.10.10"
external_service_secret = "000eb*********";

external_services = {
     { type = "stun", host = "stun.example.com", port = 443 },
     { type = "turn", host = "stun.example.com", port = 443, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "stun.example.com", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
cross_domain_websocket = true;
consider_websocket_secure = true;

VirtualHost "meet.example.com"
        authentication = "anonymous"
        ssl = {
                key = "/etc/prosody/certs/meet.example.com.key";
                certificate = "/etc/prosody/certs/meet.example.com.crt";
        }
        speakerstats_component = "speakerstats.meet.example.com"
        conference_duration_component = "conferenceduration.meet.example.com"
        modules_enabled = {
            "bosh";
            "pubsub";
            "speakerstats";
            "external_services";
            "conference_duration";
            "muc_lobby_rooms";
            "websocket";
            "smacks";
        }
        lobby_muc = "lobby.meet.example.com"
        main_muc = "conference.meet.example.com"
        c2s_require_encryption = false
        smacks_max_unacked_stanzas = 5;
        smacks_hibernation_time = 60;
        smacks_max_hibernated_sessions = 1;
        smacks_max_old_sessions = 1;

Component "conference.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
    }
    admins = { "focus@auth.meet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "internal.auth.meet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.meet.example.com", "jvb@auth.meet.example.com" }

VirtualHost "auth.meet.example.com"
    authentication = "internal_hashed"

Component "focus.meet.example.com" "client_proxy"
    target_address = "focus@auth.meet.example.com"

Component "speakerstats.meet.example.com" "speakerstats_component"
    muc_component = "conference.meet.example.com"

Component "conferenceduration.meet.example.com" "conference_duration_component"
    muc_component = "conference.meet.example.com"

Component "lobby.meet.example.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

There are no erros in the logs, can pvoide (debug) logs of prosody or jicofo if that helps.
Though in jocofo.log, what is a bit odd, is that there are bursts of focus requests when attempting to waiting on the “username/password” prompt after “I am moderator”

Apr 16 16:51:02 jicofo: Jicofo 2021-04-16 16:51:02.805 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.805 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.811 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.812 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.812 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.812 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.816 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.816 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.820 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.820 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.831 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.838 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.838 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.838 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.838 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.838 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:03 jicofo: Jicofo 2021-04-16 16:51:03.841 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:04 jicofo: Jicofo 2021-04-16 16:51:04.807 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com
Apr 16 16:51:04 jicofo: Jicofo 2021-04-16 16:51:04.829 INFO: [17] ConferenceIqHandler.handleConferenceIq#53: Focus request for room: testshibboleth@conference.meet.example.com

These dont occur, in bursts, on other auth types (pam/anonymous etc.)

the Browser Console log does also not show too much, i attempt to paste the bits before “failing” here, not sure if makes sense:

Logger.js:154 2021-04-16T14:43:58.348Z [modules/RTC/RTCUtils.js] onUserMediaSuccess
Logger.js:154 2021-04-16T14:43:58.359Z [conference.js] <Object.startConference>:  Initialized with 2 local tracks
Logger.js:154 2021-04-16T14:43:58.362Z [modules/xmpp/xmpp.js] <P.createRoom>:  JID 615dd898-cb54-41c6-badb-2e43c7c1231b@meet.example.com/UPwNp10D using MUC nickname 615dd898
Logger.js:154 2021-04-16T14:43:58.362Z [modules/xmpp/ChatRoom.js] <new E>:  Joined MUC as testshibboleth@conference.meet.example.com/615dd898
Logger.js:154 2021-04-16T14:43:58.363Z [modules/e2eping/e2eping.js] <new u>:  Initializing e2e ping; pingInterval=10000, analyticsInterval=60000.
Logger.js:154 2021-04-16T14:43:58.364Z [modules/connectivity/ParticipantConnectionStatus.js] <new g>:  RtcMuteTimeout set to: 10000
Logger.js:154 2021-04-16T14:43:58.366Z [modules/statistics/AvgRTPStatsReporter.js] <new g>:  Avg RTP stats will be calculated every 15 samples
Logger.js:154 2021-04-16T14:43:58.367Z [JitsiConference.js] <new ae>:  backToP2PDelay: 5
Logger.js:154 2021-04-16T14:43:58.369Z [JitsiConference.js] <new ae>:  End-to-End Encryprtion is supported
Logger.js:154 2021-04-16T14:43:58.400Z [JitsiConference.js] <ae._doReplaceTrack>:  _doReplaceTrack - no JVB JingleSession
Logger.js:154 2021-04-16T14:43:58.400Z [JitsiConference.js] <ae._doReplaceTrack>:  _doReplaceTrack - no P2P JingleSession
Logger.js:154 2021-04-16T14:43:58.403Z [JitsiConference.js] <ae._doReplaceTrack>:  _doReplaceTrack - no JVB JingleSession
Logger.js:154 2021-04-16T14:43:58.404Z [JitsiConference.js] <ae._doReplaceTrack>:  _doReplaceTrack - no P2P JingleSession
Logger.js:154 2021-04-16T14:43:58.406Z [modules/xmpp/moderator.js] <l.setFocusUserJid>:  Focus jid set to:  undefined
Logger.js:154 2021-04-16T14:43:58.406Z [modules/xmpp/moderator.js] <l.createConferenceIq>:  Session ID: null machine UID: 1f177175801e0ca67e83bbc39b7508cb
Logger.js:154 2021-04-16T14:43:58.414Z [features/base/tracks] Replace audio track - unmuted
Logger.js:154 2021-04-16T14:43:58.416Z [features/base/tracks] Replace video track - unmuted
Logger.js:154 2021-04-16T14:43:58.475Z [modules/xmpp/moderator.js] <l._allocateConferenceFocusError>:  Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="615dd898-cb54-41c6-badb-2e43c7c1231b@meet.example.com/UPwNp10D" from="focus.meet.example.com" id="b693556d-d949-4d4a-8387-c8db29598631:sendIQ">…</iq><error type="auth">…</error></iq>
o @ Logger.js:154
l._allocateConferenceFocusError @ moderator.js:349
(anonymous) @ moderator.js:291
(anonymous) @ strophe.umd.js:2716
run @ strophe.umd.js:1875
(anonymous) @ strophe.umd.js:3157
forEachChild @ strophe.umd.js:830
_dataRecv @ strophe.umd.js:3146
_onMessage @ strophe.umd.js:5836
Content.js:160 @atlaskit/modal-dialog: Deprecation warning - Use of the footer prop in ModalDialog is deprecated. Please compose your ModalDialog using the 'components' prop instead
Logger.js:154 2021-04-16T14:43:58.547Z [conference.js] <ne._onConferenceFailed>:  CONFERENCE FAILED: conference.authenticationRequired
o @ Logger.js:154
_onConferenceFailed @ conference.js:297
a.emit @ events.js:152
a.emit @ events.js:152
l._allocateConferenceFocusError @ moderator.js:357
(anonymous) @ moderator.js:291
(anonymous) @ strophe.umd.js:2716
run @ strophe.umd.js:1875
(anonymous) @ strophe.umd.js:3157
forEachChild @ strophe.umd.js:830
_dataRecv @ strophe.umd.js:3146
_onMessage @ strophe.umd.js:5836
index.js:9 Fetch finished loading: GET "https://meet.example.com/libs/rnnoise.wasm".
(anonymous) @ index.js:9
(anonymous) @ index.js:9
a @ index.js:9
p @ index.js:21
(anonymous) @ VADAudioAnalyser.js:156
Promise.then (async)
_trackAdded @ VADAudioAnalyser.js:156
a.emit @ events.js:157
ae._setupNewTrack @ JitsiConference.js:1218
(anonymous) @ JitsiConference.js:1127
Promise.then (async)
ae.replaceTrack @ JitsiConference.js:1119
(anonymous) @ actions.js:293
(anonymous) @ index.js:11
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:32
(anonymous) @ middleware.js:31
(anonymous) @ middleware.web.js:31
(anonymous) @ middleware.any.js:22
(anonymous) @ middleware.js:67
(anonymous) @ middleware.js:43
(anonymous) @ middleware.js:61
(anonymous) @ middleware.js:83
(anonymous) @ middleware.js:71
(anonymous) @ middleware.js:78
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:38
(anonymous) @ middleware.js:33
(anonymous) @ middleware.web.js:24
(anonymous) @ middleware.any.js:93
(anonymous) @ middleware.js:77
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:148
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:36
(anonymous) @ middleware.js:33
(anonymous) @ middleware.js:177
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:27
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:149
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:60
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:49
(anonymous) @ middleware.js:28
(anonymous) @ middleware.js:12
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:35
(anonymous) @ middleware.web.js:42
(anonymous) @ middleware.any.js:102
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:19
(anonymous) @ middleware.web.js:33
(anonymous) @ middleware.js:91
(anonymous) @ middleware.js:103
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:15
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:74
(anonymous) @ middleware.js:63
(anonymous) @ middleware.js:198
(anonymous) @ middleware.web.js:109
(anonymous) @ conference.js:1461
_executeNext @ TaskQueue.js:52
enqueue @ TaskQueue.js:29
(anonymous) @ conference.js:1447
useAudioStream @ conference.js:1446
(anonymous) @ conference.js:1346
_setLocalAudioVideoStreams @ conference.js:1344
_createRoom @ conference.js:1329
startConference @ conference.js:726
init @ conference.js:830
async function (async)
init @ conference.js:786
(anonymous) @ actions.web.js:31
Promise.then (async)
(anonymous) @ actions.web.js:30
(anonymous) @ index.js:11
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:32
(anonymous) @ middleware.js:31
(anonymous) @ middleware.web.js:31
(anonymous) @ middleware.any.js:22
(anonymous) @ middleware.js:67
(anonymous) @ middleware.js:43
(anonymous) @ middleware.js:61
(anonymous) @ middleware.js:83
(anonymous) @ middleware.js:71
(anonymous) @ middleware.js:78
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:38
(anonymous) @ middleware.js:33
(anonymous) @ middleware.web.js:24
(anonymous) @ middleware.any.js:93
(anonymous) @ middleware.js:77
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:148
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:36
(anonymous) @ middleware.js:33
(anonymous) @ middleware.js:177
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:27
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:149
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:60
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:49
(anonymous) @ middleware.js:28
(anonymous) @ middleware.js:12
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:35
(anonymous) @ middleware.web.js:42
(anonymous) @ middleware.any.js:102
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:19
(anonymous) @ middleware.web.js:33
(anonymous) @ middleware.js:91
(anonymous) @ middleware.js:103
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:15
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:74
(anonymous) @ middleware.js:63
(anonymous) @ middleware.js:198
(anonymous) @ middleware.web.js:109
_start @ Conference.js:281
componentDidMount @ Conference.js:136
vl @ react-dom.production.min.js:251
t.unstable_runWithPriority @ scheduler.production.min.js:18
Vr @ react-dom.production.min.js:120
yl @ react-dom.production.min.js:244
il @ react-dom.production.min.js:223
(anonymous) @ react-dom.production.min.js:121
t.unstable_runWithPriority @ scheduler.production.min.js:18
Vr @ react-dom.production.min.js:120
Kr @ react-dom.production.min.js:121
Gr @ react-dom.production.min.js:120
el @ react-dom.production.min.js:214
enqueueSetState @ react-dom.production.min.js:133
k.setState @ react.production.min.js:13
(anonymous) @ BaseApp.js:241
_navigate @ BaseApp.js:240
(anonymous) @ middleware.js:149
Promise.then (async)
(anonymous) @ middleware.js:149
(anonymous) @ middleware.js:169
(anonymous) @ middleware.js:26
(anonymous) @ middleware.js:32
(anonymous) @ middleware.js:31
(anonymous) @ middleware.web.js:31
(anonymous) @ middleware.any.js:22
(anonymous) @ middleware.js:67
(anonymous) @ middleware.js:43
(anonymous) @ middleware.js:61
(anonymous) @ middleware.js:83
(anonymous) @ middleware.js:71
(anonymous) @ middleware.js:78
(anonymous) @ middleware.js:147
(anonymous) @ middleware.js:35
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:38
(anonymous) @ middleware.js:33
(anonymous) @ middleware.web.js:24
(anonymous) @ middleware.any.js:93
(anonymous) @ middleware.js:77
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:148
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:36
(anonymous) @ middleware.js:33
(anonymous) @ middleware.js:177
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:27
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:149
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:197
(anonymous) @ middleware.js:45
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:49
(anonymous) @ middleware.js:28
(anonymous) @ middleware.js:12
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:35
(anonymous) @ middleware.web.js:42
(anonymous) @ middleware.any.js:478
(anonymous) @ middleware.any.js:95
(anonymous) @ middleware.js:96
(anonymous) @ middleware.js:19
(anonymous) @ middleware.web.js:33
(anonymous) @ middleware.js:91
(anonymous) @ middleware.js:103
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:15
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:74
(anonymous) @ middleware.js:63
(anonymous) @ middleware.js:198
(anonymous) @ middleware.web.js:109
dispatch @ redux.js:636
(anonymous) @ actions.js:138
async function (async)
(anonymous) @ actions.js:111
(anonymous) @ index.js:11
(anonymous) @ middleware.js:29
(anonymous) @ middleware.js:32
(anonymous) @ middleware.js:31
(anonymous) @ middleware.web.js:31
(anonymous) @ middleware.any.js:22
(anonymous) @ middleware.js:67
(anonymous) @ middleware.js:43
(anonymous) @ middleware.js:61
(anonymous) @ middleware.js:83
(anonymous) @ middleware.js:71
(anonymous) @ middleware.js:78
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:38
(anonymous) @ middleware.js:33
(anonymous) @ middleware.web.js:24
(anonymous) @ middleware.any.js:93
(anonymous) @ middleware.js:77
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:148
(anonymous) @ middleware.js:16
(anonymous) @ middleware.js:36
(anonymous) @ middleware.js:33
(anonymous) @ middleware.js:177
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:27
(anonymous) @ middleware.web.js:20
(anonymous) @ middleware.js:42
(anonymous) @ middleware.js:149
(anonymous) @ middleware.js:21
(anonymous) @ middleware.js:60
(anonymous) @ middleware.js:44
(anonymous) @ middleware.js:49
(anonymous) @ middleware.js:28
(anonymous) @ middleware.js:12
(anonymous) @ middleware.js:39
(anonymous) @ middleware.js:35
(anonymous) @ middleware.web.js:42
(anonymous) @ middleware.any.js:102
(anonymous) @ middleware.js:106
(anonymous) @ middleware.js:19
(anonymous) @ middleware.web.js:33
(anonymous) @ middleware.js:91
(anonymous) @ middleware.js:103
(anonymous) @ middleware.js:24
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:15
(anonymous) @ middleware.js:23
(anonymous) @ middleware.js:20
(anonymous) @ middleware.js:25
(anonymous) @ middleware.js:74
(anonymous) @ middleware.js:63
(anonymous) @ middleware.js:198
(anonymous) @ middleware.web.js:109
_openURL @ AbstractApp.js:113
(anonymous) @ AbstractApp.js:47
Promise.then (async)
componentDidMount @ AbstractApp.js:44
vl @ react-dom.production.min.js:251
t.unstable_runWithPriority @ scheduler.production.min.js:18
Vr @ react-dom.production.min.js:120
yl @ react-dom.production.min.js:244
il @ react-dom.production.min.js:223
el @ react-dom.production.min.js:214
Ul @ react-dom.production.min.js:279
(anonymous) @ react-dom.production.min.js:282
sl @ react-dom.production.min.js:224
Kl @ react-dom.production.min.js:282
render @ react-dom.production.min.js:286
tl.renderEntryPoint @ index.web.js:71
(anonymous) @ TestShibboleth:25
Show 267 more frames
Logger.js:154 2021-04-16T14:43:58.592Z [modules/RTC/RTCUtils.js] <Z.newObtainAudioAndVideoPermissions>:  Using the new gUM flow
Logger.js:154 2021-04-16T14:43:58.593Z [modules/RTC/RTCUtils.js] <Z.<anonymous>>:  Got media constraints:  {"video":false,"audio":{"optional":[{"sourceId":"default"},{"echoCancellation":true},{"googEchoCancellation":true},{"googAutoGainControl":false},{"googNoiseSuppression":true},{"googHighpassFilter":true},{"googNoiseSuppression2":true},{"googEchoCancellation2":true},{"googAutoGainControl2":false}]}}
Logger.js:154 2021-04-16T14:43:58.686Z [modules/UI/videolayout/LargeVideoManager.js] hover in 615dd898
Logger.js:154 2021-04-16T14:43:59.082Z [modules/RTC/RTCUtils.js] onUserMediaSuccess
Content.js:160 @atlaskit/modal-dialog: Deprecation warning - Use of the footer prop in ModalDialog is deprecated. Please compose your ModalDialog using the 'components' prop instead
value @ Content.js:160
vl @ react-dom.production.min.js:251
t.unstable_runWithPriority @ scheduler.production.min.js:18
Vr @ react-dom.production.min.js:120
yl @ react-dom.production.min.js:244
il @ react-dom.production.min.js:223
(anonymous) @ react-dom.production.min.js:121
t.unstable_runWithPriority @ scheduler.production.min.js:18
Vr @ react-dom.production.min.js:120
Kr @ react-dom.production.min.js:121
Gr @ react-dom.production.min.js:120
se @ react-dom.production.min.js:285
xn @ react-dom.production.min.js:82
Logger.js:154 2021-04-16T14:44:03.508Z [modules/xmpp/moderator.js] <l.setFocusUserJid>:  Focus jid set to:  undefined
Logger.js:154 2021-04-16T14:44:03.509Z [modules/xmpp/moderator.js] <l.createConferenceIq>:  Session ID: null machine UID: 1f177175801e0ca67e83bbc39b7508cb
Logger.js:154 2021-04-16T14:44:03.523Z [modules/xmpp/moderator.js] <l._allocateConferenceFocusError>:  Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="615dd898-cb54-41c6-badb-2e43c7c1231b@meet.example.com/UPwNp10D" from="focus.meet.example.com" id="d901ace2-d700-4f47-af07-e09b0eb293d6:sendIQ">…</iq>
o @ Logger.js:154
l._allocateConferenceFocusError @ moderator.js:349
(anonymous) @ moderator.js:291
(anonymous) @ strophe.umd.js:2716
run @ strophe.umd.js:1875
(anonymous) @ strophe.umd.js:3157
forEachChild @ strophe.umd.js:830
_dataRecv @ strophe.umd.js:3146
_onMessage @ strophe.umd.js:5836
Logger.js:154 2021-04-16T14:44:03.536Z [conference.js] <ne._onConferenceFailed>:  CONFERENCE FAILED: conference.authenticationRequired
o @ Logger.js:154
_onConferenceFailed @ conference.js:297
a.emit @ events.js:152
a.emit @ events.js:152
l._allocateConferenceFocusError @ moderator.js:357
(anonymous) @ moderator.js:291
(anonymous) @ strophe.umd.js:2716
run @ strophe.umd.js:1875
(anonymous) @ strophe.umd.js:3157
forEachChild @ strophe.umd.js:830
_dataRecv @ strophe.umd.js:3146
_onMessage @ strophe.umd.js:5836
Logger.js:154 2021-04-16T14:44:03.570Z [modules/xmpp/moderator.js] <l.setFocusUserJid>:  Focus jid set to:  undefined
Logger.js:154 2021-04-16T14:44:03.570Z [modules/xmpp/moderator.js] <l.createConferenceIq>:  Session ID: null machine UID: 1f177175801e0ca67e83bbc39b7508cb
Logger.js:154 2021-04-16T14:44:03.583Z [modules/xmpp/moderator.js] <l._allocateConferenceFocusError>:  Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="615dd898-cb54-41c6-badb-2e43c7c1231b@meet.example.com/UPwNp10D" from="focus.meet.example.com" id="752485c0-6867-4368-a014-adf60dca2926:sendIQ">…</iq>
o @ Logger.js:154
l._allocateConferenceFocusError @ moderator.js:349
(anonymous) @ moderator.js:291
(anonymous) @ strophe.umd.js:2716
run @ strophe.umd.js:1875
(anonymous) @ strophe.umd.js:3157
forEachChild @ strophe.umd.js:830
_dataRecv @ strophe.umd.js:3146
_onMessage @ strophe.umd.js:5836
Logger.js:154 2021-04-16T14:44:03.601Z [conference.js] <ne._onConferenceFailed>:  CONFERENCE FAILED: conference.authenticationRequired

Any Ideas would be most welcome, also, if someone has shibboleth working in current release.

Since the client doesnt seem to even attempt to access Shibboleth /login etc there are no usefull logs to gain from nginx.

Boris_Grozev · April 16, 2021, 4:33pm

Can you capture the XMPP traffic between the client and jicofo? The easiest way is to open the “Network” tab in Chrome before joining the conference, then looks for “xmpp-websocket” (or requests to “/http-bind”).

Boris

snek · April 16, 2021, 8:54pm

here is a session from connect to conference-> i am the moderator (username/password prompt appears)

22:43:53.310
<open xml:lang='en' from='meet.example.com' id='cdb0a23e-e9c5-453a-a025-4bef288b85ec' version='1.0' xmlns='urn:ietf:params:xml:ns:xmpp-framing'/>	147	
22:43:53.400
<stream:features xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>ANONYMOUS</mechanism></mechanisms></stream:features>	203	
22:43:53.415
<auth mechanism="ANONYMOUS" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>	70	
22:43:53.416
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>	51	
22:43:53.459
<open to="meet.example.com" version="1.0" xmlns="urn:ietf:params:xml:ns:xmpp-framing"/>	89	
22:43:53.462
<open xml:lang='en' from='meet.example.com' id='f101ea0a-7433-4b57-89b3-46499025c3c0' version='1.0' xmlns='urn:ietf:params:xml:ns:xmpp-framing'/>	147	
22:43:53.533
<stream:features xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'><c ver='ykXxUu/sIjji9xYfJMvy+7lh8Jc=' hash='sha-1' node='http://prosody.im' xmlns='http://jabber.org/protocol/caps'/><sm xmlns='urn:xmpp:sm:2'><optional/></sm><sm xmlns='urn:xmpp:sm:3'><optional/></sm><bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'><required/></bind><session xmlns='urn:ietf:params:xml:ns:xmpp-session'><optional/></session><ver xmlns='urn:xmpp:features:rosterver'/></stream:features>	487	
22:43:53.533
<iq id="_bind_auth_2" type="set" xmlns="jabber:client"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/></iq>	108	
22:43:53.534
<iq id='_bind_auth_2' type='result' xmlns='jabber:client'><bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'><jid>bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-</jid></bind></iq>	192	
22:43:53.591
<iq id="_session_auth_2" type="set" xmlns="jabber:client"><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/></iq>	117	
22:43:53.592
<iq id='_session_auth_2' type='result' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' xmlns='jabber:client'/>	132	
22:43:53.620
<enable resume="true" xmlns="urn:xmpp:sm:3"/>	45	
22:43:53.621
<enabled id='725fe28f-0c38-40e3-9551-2203be416f08' resume='true' max='60' xmlns='urn:xmpp:sm:3'/>	97	
22:43:53.667
<iq id="5fce9120-e96e-40c5-8d5f-d6b9973063c5:sendIQ" to="meet.example.com" type="get" xmlns="jabber:client"><services xmlns="urn:xmpp:extdisco:2"/></iq>	154	
22:43:53.724
<iq from="bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-" id="36115380-6fdd-456e-a2b8-70b3ec782cd1:sendIQ" to="meet.example.com" type="get" xmlns="jabber:client"><query xmlns="http://jabber.org/protocol/disco#info"/></iq>	241	
22:43:53.724
<iq type='result' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='meet.example.com' id='5fce9120-e96e-40c5-8d5f-d6b9973063c5:sendIQ' xmlns='jabber:client'><services xmlns='urn:xmpp:extdisco:2'><service host='stun.example.com' type='stun' port='443'/><service restricted='1' type='turn' expires='2021-04-17T20:43:53Z' port='443' username='1618692233' password='***' host='stun.example.com' transport='udp'/><service restricted='1' type='turns' expires='2021-04-17T20:43:53Z' port='443' username='1618692233' password='***' host='stun.example.com' transport='tcp'/></services></iq>	656	
22:43:53.765
<iq type='result' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='meet.example.com' id='36115380-6fdd-456e-a2b8-70b3ec782cd1:sendIQ' xmlns='jabber:client'><query xmlns='http://jabber.org/protocol/disco#info'><identity type='conference_duration' name='conferenceduration.meet.example.com' category='component'/><identity type='pep' name='Prosody' category='pubsub'/><identity type='lobbyrooms' name='lobby.meet.example.com' category='component'/><identity type='speakerstats' name='speakerstats.meet.example.com' category='component'/><identity type='service' name='Prosody PubSub Service' category='pubsub'/><identity type='im' name='Prosody' category='server'/><feature var='urn:xmpp:blocking'/><feature var='http://jabber.org/protocol/commands'/><feature var='jabber:iq:register'/><feature var='http://jabber.org/protocol/pubsub#publish'/><feature var='msgoffline'/><feature var='jabber:iq:last'/><feature var='vcard-temp'/><feature var='urn:xmpp:carbons:2'/><feature var='jabber:iq:roster'/><feature var='urn:xmpp:time'/><feature var='jabber:iq:time'/><feature var='urn:xmpp:extdisco:2'/><feature var='urn:xmpp:extdisco:1'/><feature var='jabber:iq:version'/><feature var='http://jabber.org/protocol/pubsub'/><feature var='http://jabber.org/protocol/pubsub#delete-items'/><feature var='http://jabber.org/protocol/pubsub#meta-data'/><feature var='http://jabber.org/protocol/pubsub#retract-items'/><feature var='http://jabber.org/protocol/pubsub#modify-affiliations'/><feature var='http://jabber.org/protocol/pubsub#member-affiliation'/><feature var='http://jabber.org/protocol/pubsub#multi-items'/><feature var='http://jabber.org/protocol/pubsub#outcast-affiliation'/><feature var='http://jabber.org/protocol/pubsub#subscription-options'/><feature var='http://jabber.org/protocol/pubsub#retrieve-items'/><feature var='http://jabber.org/protocol/pubsub#access-open'/><feature var='http://jabber.org/protocol/pubsub#delete-nodes'/><feature var='http://jabber.org/protocol/pubsub#retrieve-default'/><feature var='http://jabber.org/protocol/pubsub#persistent-items'/><feature var='http://jabber.org/protocol/pubsub#publisher-affiliation'/><feature var='http://jabber.org/protocol/pubsub#item-ids'/><feature var='http://jabber.org/protocol/pubsub#create-nodes'/><feature var='http://jabber.org/protocol/pubsub#config-node'/><feature var='http://jabber.org/protocol/pubsub#create-and-configure'/><feature var='http://jabber.org/protocol/pubsub#subscribe'/><feature var='http://jabber.org/protocol/pubsub#publish-options'/><feature var='http://jabber.org/protocol/pubsub#instant-nodes'/><feature var='http://jabber.org/protocol/pubsub#purge-nodes'/><feature var='http://jabber.org/protocol/pubsub#retrieve-subscriptions'/><feature var='jabber:iq:private'/><feature var='urn:xmpp:ping'/><feature var='http://jabber.org/protocol/disco#info'/><feature var='http://jabber.org/protocol/disco#items'/></query></iq>	2938	
22:43:53.770
<iq from="bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-" id="28d349d7-7751-4e38-816d-78c279446b62:sendIQ" to="lobby.meet.example.com" type="get" xmlns="jabber:client"><query node="lobbyrooms" xmlns="http://jabber.org/protocol/disco#info"/></iq>	265	
22:43:53.772
<iq type='result' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='lobby.meet.example.com' id='28d349d7-7751-4e38-816d-78c279446b62:sendIQ' xmlns='jabber:client'><query node='lobbyrooms' xmlns='http://jabber.org/protocol/disco#info'/></iq>	268	
22:43:53.791
<iq id="77b48517-57d0-4a2c-83d1-78d756e1493c:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:43:56.252
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='77b48517-57d0-4a2c-83d1-78d756e1493c:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:43:56.311
<iq id="2454fd1d-7bc4-4d4a-9b67-a330b69aeeb3:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:44:01.330
<r xmlns="urn:xmpp:sm:3"/>	26	
22:44:01.332
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='2454fd1d-7bc4-4d4a-9b67-a330b69aeeb3:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:44:01.341
<a xmlns='urn:xmpp:sm:3' h='5'/>	32	
22:44:01.357
<r xmlns='urn:xmpp:sm:3'/>	26	
22:44:01.357
<a h="5" xmlns="urn:xmpp:sm:3"/>	32	
22:44:01.358
<iq id="e6a0a280-31ab-4054-b2d9-a9893660dc5f:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:44:01.397
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='e6a0a280-31ab-4054-b2d9-a9893660dc5f:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:44:01.409
<iq id="0db4a5da-40ba-4abb-baf6-4a821cac1688:sendIQ" to="meet.example.com" type="get" xmlns="jabber:client"><ping xmlns="urn:xmpp:ping"/></iq>	144	
22:44:03.625
<iq type='result' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='meet.example.com' id='0db4a5da-40ba-4abb-baf6-4a821cac1688:sendIQ' xmlns='jabber:client'/>	186	
22:44:03.644
<iq id="f84f75bd-ee86-417b-92c2-1696437094c1:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:44:06.384
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='f84f75bd-ee86-417b-92c2-1696437094c1:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:44:06.402
<iq id="a3b4efec-38ad-443f-9e9f-9869dddc7db9:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:44:06.442
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='a3b4efec-38ad-443f-9e9f-9869dddc7db9:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:44:06.454
<iq id="9ec9471f-e4e5-4733-a7b8-7e0cbc25cd15:sendIQ" to="focus.meet.example.com" type="set" xmlns="jabber:client"><conference machine-uid="79c7dbe79dcdc9d884b862c12c80626b" room="shibbolethtest@conference.meet.example.com" xmlns="http://jitsi.org/protocol/focus"><property name="disableRtx" value="false"/><property name="startBitrate" value="800"/><property name="startAudioMuted" value="5"/><property name="stereo" value="false"/></conference></iq>	454	
22:44:11.445
<r xmlns="urn:xmpp:sm:3"/>	26	
22:44:11.447
<iq type='error' to='bdcff6a5-0cb1-4d00-98d4-666cf8ec0fd8@meet.example.com/z4dB29n-' from='focus.meet.example.com' id='9ec9471f-e4e5-4733-a7b8-7e0cbc25cd15:sendIQ' xmlns='jabber:client'><error type='auth'><not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>not authorized user domain</text></error></iq>	380	
22:44:11.456
<a xmlns='urn:xmpp:sm:3' h='10'/>	33

Boris_Grozev · April 16, 2021, 9:31pm

Based on this, there must be something going on with the request to /login. Can you please extract that from chrome as well?

snek · April 16, 2021, 10:07pm

thats the issue, there seems to be not even the attempt to access /login, the username/password prompt appears right away → think i am missing some setting that would be telling the webapp to use shibbo? but hmm fail to find anything (obvious)

what do you mean by extract from chrome? how/where? (network tab?)

Damien_FETIS · April 16, 2021, 10:16pm

Hi @Boris_Grozev , the issue seems to be with the new react LoginDialog done by this commit feature(authentication) by Calinteodor · Pull Request #8869 · jitsi/jitsi-meet · GitHub.
The code used by the shibboleth auth is never called in the last stable version, the only call to room.getExternalAuthUrl() with the redirection to this externalAuth is only done in the old auth file in modules/UI/authentication/AuthHandler.js and not in the new one.
Regards,
Damien

snek · April 16, 2021, 10:23pm

hmm, yes, i just now tried with the previous jitsi-meet (webapp) version 2.0.5390, keeping jicofo/prosody/jitsi-videobridge etc “as is” and it worked inmediately. seems like something broke in the “jitsi-meet” webapp

Damien_FETIS · April 16, 2021, 10:32pm

I think the url redirection logic used by the shibboleth auth configuration was not ported to the new react version of the authentification jitsi-meet/react/features/authentication at master · jitsi/jitsi-meet · GitHub.

snek · April 17, 2021, 11:08am

Since this seems to be a bug, I have created the following github issue: Shibboleth/SAML Authentication (URL Redirection) broken in 2.0.5765 · Issue #9026 · jitsi/jitsi-meet · GitHub

Thanks @Boris_Grozev and @Damien_FETIS for your help! Very much appreciated! I was too focused on a possible configuration issue on my side, which tends to be the more common cause when something breaks

damencho · April 19, 2021, 2:16pm

@Damien_FETIS what do you think will be the challenges in implementing a separate service doing all these shibboleth shenanigans and just use jwt+iframe for loading a conference?

This what happened here we want to avoid it in the future. But in order for this to happen, we need to drop the shibboleth support from jicofo and jitsi-meet UI. This is something we do not use and break every now and then.
This will help people using shibboleth to be sure this is not broken in future updates and will help us, making code simpler, with fewer bugs and we can concentrate on the real issues and feaures and do not try to fix something we do not use and cannot even test.

damencho · April 19, 2021, 2:35pm

We are currently to: we know its broken … and I tried deploying something dummy to test it and I’m to the point of adding some dummy provider just for tests… and I have no idea how to do it and I’m wasting a lot of time and need to drop it.
So any PR with a fix is welcome at this point, or help with a way to quickly test it …

Damien_FETIS · April 19, 2021, 10:18pm

Hi @damencho,
You’re completely right about using the shibboleth to protect a jwt auth server. It is doable and it will be simpler for Jitsi to deal with only one external auth mechanism.
I didn’t try the jwt auth mechanism in jitsi before but is it a require to use it in the Jitsi iframe API or can it be used on a other way?

However, if you want to test the shibboleth auth with jitsi you don’t need to deploy all the shibboleth complex stuff. You can easily fake the auth process with this nginx config :

  location /login {
         proxy_set_header mail testuser;
         add_header Content-Type text/html;
         proxy_pass http://127.0.0.1:8888;
    }

This location will be used as redirection target by the browser and it will send the request with the mail header to the jicofo web server (it is the only thing the jicofo need).
But if you want, I will have some time next week for a PR.

Regards,
Damien

damencho · April 19, 2021, 11:03pm

No, I was thinking it will be easier with shibboleth … and as you need a service to generate jwt tokens and pass it to the page …

Damien_FETIS:

However, if you want to test the shibboleth auth with jitsi you don’t need to deploy all the shibboleth complex stuff. You can easily fake the auth process with this nginx config :
  location /login {
         proxy_set_header mail testuser;
         add_header Content-Type text/html;
         proxy_pass http://127.0.0.1:8888;
    }
This location will be used as redirection target by the browser and it will send the request with the mail header to the jicofo web server (it is the only thing the jicofo need).

Ok, will try that.

damencho · April 20, 2021, 4:22pm

Thanks @Damien_FETIS that helped

you can try testing: fix(authentication) login dialog closed when connection established by Calinteodor · Pull Request #9049 · jitsi/jitsi-meet · GitHub
We think it is fixed, we are now testing the other use cases and that those are not broken. Kudos to @Calinteodor for the quick fixes

D1eter · May 10, 2021, 6:35pm

Now that this is sorted, dare we ask for a release with working Shibboleth auth to stable? @damencho?

damencho · May 10, 2021, 6:47pm

The RC is in testing repo, you can try that one, probably will be out, by the end of the week.

D1eter · May 10, 2021, 6:48pm

Thanks a lot!