Time
S
Nick
Message
02:05 jri joined #dataverse
05:05 jri joined #dataverse
08:00 poikilotherm joined #dataverse
08:14 jri joined #dataverse
11:13 pdurbin
poikilotherm: I forget. Have you played with Flyway? You still want this to get merged, right? https://github.com/IQSS/dataverse/pull/5349
11:15 poikilotherm
Heyho pdurbin, good morning ;-)
11:16 poikilotherm
I had no chance to test this yet
11:16 poikilotherm
But yes, this would make things easier, so merging it would be perfect
11:39 pdurbin
poikilotherm: ok, any suggestions on how to test it? I was thinking about trying to add a column to a table to start. I'd like to get it off my plate (I volunteered to code review it) and on to QA.
11:56 poikilotherm
Maybe move the reference_data.sql stuff into Flyway?
11:57 poikilotherm
Anything in there that would blow up existing installations?
11:58 poikilotherm
Maybe - just maybe - create the databases from Flyway instead of relying on the persistance framework for this?
11:58 poikilotherm
err... meant tables of course
12:25 pdurbin
Hmm. It *would* be nice to remove the reference data step from the installer.
12:26 pdurbin
I guess I'm thinking that as long as this pull request doesn't break anything, it would be nice to have flyway in our app so we can use it in the future. It would give us more options, hopefully.
12:33 poikilotherm
pdurbin can I "just use" the unblock key once the API is blocked via ?key=... or X-Dataverse-key?
12:36 poikilotherm
Ah got it
13:21 pdurbin
It's confusing. I think they're both called "key".
13:21 pdurbin
Sounds like you figured it out. Good. :)
13:30 poikilotherm
The unblocking key needs to be specified with "unblock-key"
13:30 poikilotherm
This is not very intuitive :-/
13:31 poikilotherm
And maybe it would be cleaner to use admin account api token anyway
13:31 poikilotherm
"localhost only" is not an option within a Kubernetes cluster... ;-)
13:35 pdurbin
pull requests welcome :)
13:37 poikilotherm
...
13:37 poikilotherm
I think I almost completed my basic Dataverse Kubernetes setup...
13:37 poikilotherm
DB , Solr and Dataverse
13:37 pdurbin
nice
13:38 pdurbin
Do you feel like leaving a comment at https://github.com/IQSS/dataverse/issues/4665 about it?
13:47 yoh joined #dataverse
13:54 poikilotherm
https://github.com/IQSS/dataverse/issues/4665#issuecomment-467446353
13:54 poikilotherm
Done ;-)
14:00 poikilotherm
pdurbin if you want, give this a shot :-D You still need MiniKube, but that should ok, right?
14:10 isullivan joined #dataverse
14:17 donsizemore joined #dataverse
14:25 pdurbin
yep, we installed it together, if you recall :)
14:37 pdurbin
mornin' donsizemore
14:55 donsizemore joined #dataverse
15:07 Sherry joined #dataverse
15:23 pameyer joined #dataverse
16:29 pdurbin
andrewSC bjonnh bricas candy` donsizemore isullivan jri pmauduit xarthisius yoh: community call in 30 minutes: https://dataverse.org/community-calls
18:07 Julio_Chaves joined #dataverse
18:15 Julio_Chaves
Hello dataverse fellows, we are trying to figure out the dataverse authentication from ADFS users through shibboleth. We've got success so far, since we are not seeing any more errors, but after the login process it seems that not was really done, there is only a kind of "blank screen".
18:36 pdurbin
pameyer: help!
18:36 pdurbin
Julio_Chaves: he may have stepped out for lunch.
18:37 pdurbin
pameyer: there's Indian food in the Quantina if you haven't. :)
18:37 Julio_Chaves
ok, I'll also write on the google group...
18:38 pdurbin
Julio_Chaves: cool. Do you see anything at https://dataverse.example.edu/Shibboleth.sso/Session (for your hostname)?
18:39 pdurbin
I put an example of how "Session" might look at http://guides.dataverse.org/en/4.11/installation/shibboleth.html#exchange-metadata-with-your-identity-provider
18:42 Julio_Chaves
@pdurbin, if I type https://dataverse-dev.fgv.br/Shibboleth.sso/Session , I receive A valid session was not found.
18:42 Julio_Chaves
"A valid session was not found."
18:43 pdurbin
Hmm, that's not good, obviously. :) You've already logged in through ADFS in that browser?
18:43 pdurbin
donsizemore: any thoughts on this?
18:46 Julio_Chaves
Hi, another college did a try and the output was quite different: Miscellaneous
18:46 Julio_Chaves
MiscellaneousSession Expiration (barring inactivity): 474 minute(s)
18:46 Julio_Chaves
Client Address: XXXXXXX
18:46 Julio_Chaves
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
18:46 Julio_Chaves
Identity Provider: http://fs.fgv.br/adfs/services/trust
18:46 Julio_Chaves
Authentication Time: 2019-02-26T18:37:22.882Z
18:46 Julio_Chaves
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
18:46 Julio_Chaves
Authentication Context Decl: (none)
18:46 Julio_Chaves
Attributes
18:47 Julio_Chaves
group: Domain Users;GROUPS LIST
18:47 Julio_Chaves
name: LOGIN_NAME
18:47 Julio_Chaves
upn:LOGIN_NAME
18:51 pameyer
pdrubin - thanks, just got back
18:52 pameyer
@Julio_Chaves - reading the logs
18:54 Julio_Chaves
May be a lack of attributes mapping...
18:54 pameyer
one thing I found very helpful was to check the shibboleth logs for warning messages about "unmapped attributes"
18:55 Julio_Chaves
I'm looking into...
18:55 pameyer
I don't remember if it was shibd.log , or shibd_warning.log
18:56 Julio_Chaves
there is only one : INFO Shibboleth.AttributeExtractor.XML [4]: skipping unmapped SAML 2.0 Attribute with Name: email, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
18:57 pameyer
what do you have in your attribute-map.xml for `id="mail"`?
19:00 pameyer
something different than `<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress " nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="mail"/>` ?
19:02 Julio_Chaves
nothing
19:03 Julio_Chaves
we have only email
19:03 Julio_Chaves
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress " id="email"/>
19:03 Julio_Chaves
we are changing to see it
19:03 Julio_Chaves
from email to mail
19:04 pameyer
it may be worth checking the glassfish server.log to see if there's a corresponding message about not being able to get mail from shibboleth; but that would be consistent
19:12 Julio_Chaves
The SAML assertion for "Shib-Identity-Provider" was null.
19:14 Julio_Chaves
Need to know where I need to fill this information...
19:15 Julio_Chaves
I've got this from glassfish log
19:15 pameyer
do you see anything at $HOST/Shibboleth.sso/DiscoFeed ?
19:16 Julio_Chaves
yes
19:16 Julio_Chaves
"entityID": "http://fs.fgv.br/adfs/services/trust "
19:16 pameyer
great
19:16 Julio_Chaves
"http://fs.fgv.br/adfs/services/trust "
19:16 Julio_Chaves
http://fs.fgv.br/adfs/services/trust
19:16 pameyer
I'd been briefly puzzeled by not having an "(optional)" or "(required)" in the glassfish log - but I was looking in the wrong place
19:21 pameyer
any change with the id switch?
19:21 yoh joined #dataverse
19:45 Julio_Chaves joined #dataverse
19:48 pdurbin
Julio_Chaves: question about id. ^^
19:50 pameyer
pdurbin - I'd guess they're checking (or multi-tasking like the rest of us ;) )
19:51 pdurbin
yeah, I dropped everything earlier when there was free Indian food
19:57 Julio_Chaves
pdurbin: I'm not sure about what would be "id switch"...
20:01 pdurbin
Julio_Chaves: it was a question from pameyer
20:02 pdurbin
it looks like you had id="email"
20:02 pdurbin
and now you have id="mail"?
20:02 Julio_Chaves
pdurbin: Yes, I understood that, but I don't know what does that mean...
20:03 Julio_Chaves
Yes, we've changed to "mail", but until now it's not working yet.
20:03 pdurbin
ok
20:03 pdurbin
so you're still blocked on 'The SAML assertion for "Shib-Identity-Provider" was null'? Or something else?
20:04 Julio_Chaves
We did not filled it in any place...
20:05 Julio_Chaves
It seems to be a shibb product? https://www.shibboleth.net/products/identity-provider/
20:06 Julio_Chaves
If it's necessary to fill the "Shib-Identity-Provider" in, we need to know where to fill it, and what would be the value.
20:07 pdurbin
This is related: https://github.com/IQSS/dataverse/issues/2129
20:07 Julio_Chaves
Sorry, may be basic things..
20:08 pdurbin
No, it's a good question. Did you solve this, pameyer ?
20:22 Julio_Chaves
I understood that Shib-Identity-Provider is a tag to match a ADFS group, which would be an authorized group to login the dataverse platform. Until now, we really don't need it, the librarians said that anyone inside the university (all ADFS users) may have a profile inside dataverse.
21:05 pameyer
I don't recall doing any specific configuration for Shib-Identity-Provider; I can check the logs later this week to see if I see anything related
21:16 pdurbin
"Shib-Identity-Provider" is the attribute I used to get at this entityID, for example: Identity Provider: https://idp.testshib.org/idp/shibboleth (from Session)
21:35 pdurbin
pameyer: according to this example, the IdP comes first, then the pipe, then the unique string for the user: "persistentUserId": "https://idp.example.com/idp/shibboleth |5e97f768" ... from https://github.com/IQSS/dataverse/issues/3009 ... so I think I drew it wrong on the whiteboard. But you get the idea.
21:40 pameyer
yup - I get the idea
21:41 pameyer
after a little time to think about it, if I'm remembering correctly I sent the list of attributes to the ADFS/IDP admin on a form with "this is what the app says it needs"
21:41 pameyer
so that may be why I didn't need to do any attribute mapping for it
21:44 pameyer
still planning to take a closer look at that system later this week
