Page tree
Skip to end of metadata
Go to start of metadata


Based on the work done on and , it isn't been possible for all to accomplish authentication using shibboleth. We agree to share workable configurations.


In DSpace configuration, local.cfg file, ensure these lines are uncommented:

# Shibboleth authentication/authorization. See authentication-shibboleth.cfg for default configuration. = org.dspace.authenticate.ShibAuthentication

# Enabled by default in authentication.cfg = org.dspace.authenticate.PasswordAuthentication

we also use default attributes that are mapped in my Shibboleth (version 3.0.4) attribute map (this may differ accordingly with the IdP).

In my local setup (Paulo Graça ), I'm using Apache/2.4.6 (CentOS) with Proxypass with this settings. This is also tested (Ben Bosman ) with Apache/2.4.41 (Amazon Linux 2):

<VirtualHost *:443>  
	<Proxy *>
		AddDefaultCharset Off
		Order deny,allow
		Allow from all

	# The Shibboleth handler shall process all HTTPS requests on this location...
    <Location /server/api/authn/shibboleth>
        Order deny,allow
        Allow from all
		AuthType shibboleth
		ShibUseHeaders On
		Require shibboleth
	# The Shibboleth handler shall process all HTTPS requests on this location...
    <Location /server/api/authn/login>
        Order deny,allow
        Allow from all
		AuthType shibboleth
		ShibUseHeaders On
		Require shibboleth

    #Adding SSL Proxy Engine On
    SSLProxyEngine on
	ProxyRequests off
    ProxyPreserveHost On

	# A specific configuration for shibboleth proxypass
	ProxyPass /Shibboleth.sso !

	# A specific proxypass configuration for DSpace server (both server and angular on the same machine)
	ProxyPass /server ajp://localhost:8009/server
	ProxyPassReverse /server ajp://localhost:8009/server

	# A specific proxypass configuration for Angular
	ProxyPass / http://localhost:3000/
	ProxyPassReverse / http://localhost:3000/

The AJP proxy only works (Ben Bosman) if shibboleth2.xml doesn't contain the attribute attributePrefix="AJP_" in the ApplicationDefaults.

I'm (Paulo Graça) also using Tomcat v9 (apache-tomcat-9.0.30) and java-11-openjdk.x86_64, with a almost default tomcat server.xml file. Ben Bosman has created the setup with apache-tomcat-9.0.31 and OpenJDK Runtime Environment Corretto-

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <!-- (...) -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Engine name="Catalina" defaultHost="localhost">
  <!-- (...) -->
      <Host name="localhost"  appBase="/dspace/webapps" unpackWARs="true" autoDeploy="true" xmlNamespaceAware="false" xmlValidation="false">
		<Context allowLinking="true" path="" docBase="server" />
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="access_log" suffix=".log" pattern="%h %l %u %t "%r" %s %b" />
  <!-- (...) -->

Separate REST and Angular hostname

When using separate hostnames for REST and Angular, more configuration is required on the REST Apache to make sure you allow requests from the given hostname. The configuration below allows access from localhost:3000 and (tested by Ben Bosman)

Apache config
SetEnvIf Origin "^http(s)?://(www\.)?(dspace7\-demo\.atmire\.com|localhost\:3000|127\.0\.0\.1\:3000)$" AccessControlAllowOrigin=$0
  Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
  Header set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin
  Header set Access-Control-Expose-Headers: "Authorization, expires, Location, Content-Disposition, WWW-Authenticate, Set-Cookie, X-Requested-With"
  Header merge Vary Origin

Also make sure you don't have a Proxy for http://localhost:3000/ if you're testing from http://localhost:3000/

This setup currently causes warnings:

A cookie associated with a cross-site resource at was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and

Related resources

1 Comment

  1. This documentation needs updating based on the fixes applied in  DS-4473 - Getting issue details... STATUS    Simply put, the "Access-Control-Allow-Credentials" header is now provided by the REST API