-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache and Shibboleth #18
Comments
You would probably get the best advice by posting to the Shibboleth mailing list: https://www.shibboleth.net/community/lists/ |
@Coding-Composer We just managed to do it. Advice still needed? |
Yes! We have a working version with jupyterhub 0.9.6, but upgrading to 1.1.0 breaks the "Access Server" option (for admins to access notebooks). If you're still about, would love to have help. |
@lickdragon I'm glad to help. Where do you need advice exactly? You do have Shibboleth authentication already up and running? |
@lickdragon <https://github.com/lickdragon> I'm glad to help. Where do
you need advice exactly? You do have Shibboleth authentication already
up and running?
That would be great!
Yes, in Jupyterhub 0.9.6 everything works as expected.
But using exactly the same config files, jupyterhub 1.1.0 (also 1.0.0b)
mostly works. E.g. a user can use Shibboleth to log in and access their
notebook.
The feature lacking is that an admin can no longer access another user's
running notebook. ('Control Panel -> Admin -> access server'). (Do you
have this working?)
Instead an access page is displayed.
"
Authorize access
A service is attempting to authorize with your JupyterHub account
Server at /user/amadrid/ (oauth URL: /user/amadrid/oauth_callback) would
like permission to identify you. It will not be able to take actions on
your behalf.
"
Something changed in the jupyterhub behavior, so possibly this is a
jupyterhub problem, not a jhub_remote_user problem. But maybe something
needs to be adapted in our config or in jhub_remote_users. I don't know.
Here's our apache config:
<VirtualHost *:80>
ServerName "jupyterhub5.fqdn"
Redirect permanent / https://jupyterhub5.fqdn/
</VirtualHost>
<VirtualHost *:443>
ServerName "jupyterhub5.fqdn"
ProxyPass /Shibboleth.sso !
ProxyPassReverse /Shibboleth.sso !
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
<Proxy "*">
Header edit Origin "jupyterhub5.fqdn" 127.0.0.1:8000
RequestHeader edit Origin "jupyterhub5.fqdn" 127.0.0.1:8000
Header edit Referer "jupyterhub5.fqdn" 127.0.0.1:8000
RequestHeader edit Referer "jupyterhub5.fqdn" 127.0.0.1:8000
</Proxy>
# proxy websockets
<Location ~
"/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://127.0.0.1:8000
ProxyPassReverse ws://127.0.0.1:8000
</Location>
# authentication interferes with websockets and isn't needed,
so only apply it to /hub
<Location ~ "^/hub">
AuthType shibboleth
ShibRequestSetting applicationId "jupyterhub5.fqdn"
ShibRequestSetting requireSession 1
Require valid-user
Allow from all
RewriteEngine on
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set REMOTE_USER %{PROXY_USER}e
</Location>
Include /etc/apache2/star.fqdn_ssl.conf
</VirtualHost>
|
Compatibility with JupyterHub v1.0.0 cwaldbieser#18
Has anyone used this authenticator in combination with Shibboleth and Apache as a proxy? Do you have any advice on how to get this working?
Maybe someone can point me to some documentation or how-to-guide. Or maybe someone can think of an easier way to do this. I appreciate any help.
The text was updated successfully, but these errors were encountered: