Shibboleth/SAML Authentication again: /login ignored

[localguru]

When updating jitsi-meet-web from 1.0.5913 to the newest stable version 1.0.7235 from https://download.jitsi.org stable/ on Ubuntu 20.04 LTS + nginx 1.24.0 (module-headersmore, module-shibboleth) the login to Shibboleth is completely ignored by jitsi-meet-web. Is this still an issue or did I miss some new configuration after updating?

This issue is related to #9026 and this post in forum and jitsi/jicofo#724, but those didn't help me out.

And final question: is the shibboleth support dropped or not? In various places you read that the Shibboleth support is to be dropped, but it is not understandable whether this has already happened or not. The doc for Shibboleth has been removed from the repo, see jitsi/jicofo#693 - what is the current status here?

[damencho]

Yes it is removed.

[damencho]

jitsi/jicofo@f0d2311

[localguru]

@damencho thanks for helping! What is the way to get authenticatio to our central IDM (Shibboleth) working? Any other ways that are supported by Jitsi now?

And does the removal already affect the current stable 1.0.7235 ?

[saghul]

You can use this perhaps: https://github.com/Renater/Jitsi-SAML2JWT

[localguru]

@saghul this is third party. Is this tested? @daimoc Is this working?

I somehow can't quite understand why Shibboleth support was disabled. In larger organizations like universities it is common to authenticate web based services against Shibboleth. The configuration is admittedly a pain, but now we're left with no alternative, which could lead to Jitsi being shut down if no way to authenticate to Shibboleth results. I think the least would have been to point this out on the üriginal Shibboleth doc page and show alternatives.

[mtessmer1]

We rely on Shibboleth authentication as it is a central service in our organisation (university), so disabling is problematic for us.

[saghul]

@saghul this is third party. Is this tested? @daimoc Is this working?

Yes it is, @daimoc wrote it to replace Shibboleth auth which we deprecated a while ago.

The writing has been on the wall for a while.

I somehow can't quite understand why Shibboleth support was disabled. In larger organizations like universities it is common to authenticate web based services against Shibboleth. The configuration is admittedly a pain, but now we're left with no alternative, which could lead to Jitsi being shut down if no way to authenticate to Shibboleth results.

The simple answer is we can't reliably maintain it since we don't use it. Plus, it's possible to use an external service to transform any auth into token based auth so it makes things easier to maintain. We waited until such tool existed before removing support for it.

I think the least would have been to point this out on the üriginal Shibboleth doc page and show alternatives.

🤦 You're right.

[saghul]

jitsi/jicofo#1088

[localguru]

For a temporary solution - until I implement the JWT setup - would it be possible to add the removed Shibboleth code back? In that case I would build a Debian package and use that for now. Or would that not work?

[damencho]

The latest version that has it is https://download.jitsi.org/unstable/jicofo_1.0-1024-1_all.deb
You can download and use that.

[localguru]

The latest version that has it is https://download.jitsi.org/unstable/jicofo_1.0-1024-1_all.deb You can download and use that.

Thanks. An patching the current stable version. Would that work too?

[damencho]

Yep you can download sorces for jicofo 1027 and try patching it, by applying he removed code, rebuild and run that.

[daimoc]

For a temporary solution - until I implement the JWT setup - would it be possible to add the removed Shibboleth code back? In that case I would build a Debian package and use that for now. Or would that not work?

It's maybe faster to enable the JWT setup than rebuilding a custom jicofo jar.
If you already have a working nginx with shibboleth setup you only need a basic jwt generator and some configuration on nginx and jitsi.