Current File(s): conf/authn/remoteuser-authn-config.xml, (edit-)webapp/WEB-INF/web.xml, conf/authn/authn.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)
Overview
The authn/RemoteUser login flow relies on whatever container-based mechanism you have available (HTTP BASIC auth, LDAP, Kerberos, other SSO systems, etc.). By default, this flow is configured without support for advanced authentication controls like passive or forced authentication. In most cases, implementing support for those features in conjunction with other SSO systems should be done with the External flow.
This flow is actually implemented as a special case of the External flow that happens to use a supplied servlet to implement the External contract that supports extraction of the identity from the request. Rather than customizing this flow, use the External flow itself if you need to do other things instead of or in addition to this behavior.
Enabling Module (V4.1+)
For V4.1+, configuring and using this feature requires that you first enable the "idp.authn.RemoteUser" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.RemoteUser || bin\module.bat -e idp.authn.RemoteUser
(Other)
$ bin/module.sh -t idp.authn.RemoteUser || bin/module.sh -e idp.authn.RemoteUser
General Configuration
V4.0
Use authn/remoteuser-authn-config.xml and/or edit-webapp/WEB-INF/web.xml to configure this flow.
The shibboleth.authn.RemoteUser.externalAuthnPath bean defines the flow redirection path to the resource that's used to pick up the container-established identity, by default a context-relative location. It can be modified if needed.
V4.1+
Use authn/authn.properties, authn/remoteuser-authn-config.xml and/or edit-webapp/WEB-INF/web.xml to configure this flow.
The idp.authn.RemoteUser.externalAuthnPath property defines the flow redirection path to the resource that's used to pick up the container-established identity, by default a context-relative location. It can be modified if needed.
If you need to support multiple external paths, you can supply a bean of type Function<ProfileRequestContext,String> with the name shibboleth.authn.RemoteUser.externalAuthnPathStrategy
The shibboleth.authn.RemoteUser.ClassifiedMessageMap bean is a map of error messages to classified error conditions that isn't often used with this handler because it generally won't return with any contextual details that you can make use of. If this comes into play, the External flow is probably what you're meant to use. One typical need is to map specific events to the "ReselectFlow" event in order to allow the IdP to "fall-through" to other methods.
The servlet that implements the authentication for this flow is configured in webapp/WEB-INF/web.xml and can be given parameters that extend it to support arbitrary headers or request attributes instead of or in addition to the REMOTE_USER reserved CGI variable (the identity of the requester as established by the web server / container, which Java exposes in the Servlet API with the getRemoteUser
method). By default, it supports only the "real" REMOTE_USER value exposed via that API (this does not include headers named to emulate it, a very poor practice due to the potential for confusion).
As always, when editing this file, make sure to copy it to edit-webapp/WEB-INF/web.xml first and make any changes to that copy.
The following servlet init parameters are supported:
checkRemoteUser (true or false)
checkAttributes (list of space-delimited request attribute names)
checkHeaders (list of space-delimited request header names)
subjectAttribute (name of request attribute)
authnMethodHeader (name of request header)
authnAuthorityHeader (name of request header) (V3.4+)
The algorithm of the servlet is roughly:
If subjectAttribute is set, check it for a Java Subject to use. If found, it will be returned through the External Authentication interface and all the other settings are ignored.
Otherwise, check for a principal name as directed by the settings, in REMOTE_USER, attributes, and headers (in that order). If not found, authentication fails.
If authnMethodHeader is set, check each value to see if the associated login flow supports a custom Principal matching the value in the header, and if so, attach that Principal to the Subject returned through the External Authentication interface. Note that if the header contains a value not supported by the associated login flow, it will be logged, but otherwise not impact the success of this flow. By the time this feature is executing, it's already a given that the result was successful.
If you need something different from this, your best option is to use the External login flow and possibly adapt the existing servlet as an example to copy from for your own purposes. In all respects, this flow is simply a more concrete use of the External flow.
Reference
Beans (V4.0)
The beans defined in, or expected to be in, authn/remoteuser-authn-config.xml follow:
Bean ID / Type | Default | Description |
---|
shibboleth.authn.RemoteUser.externalAuthnPath String | contextRelative:Authn/RemoteUser | Spring Web Flow redirection expression for the protected resource |
shibboleth.authn.RemoteUser.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource. |
shibboleth.authn.RemoteUser.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. |
shibboleth.authn.RemoteUser.resultCachingPredicate Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
shibboleth.authn.RemoteUser.addDefaultPrincipals Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
shibboleth.authn.RemoteUser.matchExpression Pattern | | Regular expression to match username against |
Beans (V4.1+)
The beans defined in, or expected to be in, authn/remoteuser-authn-config.xml follow:
Bean ID / Type | Default | Description |
---|
shibboleth.authn.RemoteUser.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource. |
shibboleth.authn.RemoteUser.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. |
shibboleth.authn.RemoteUser.resultCachingPredicate Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
Properties (V4.1+)
The flow-specific properties usable via authn/authn.properties are:
Name | Default | Description |
---|
idp.authn.RemoteUser.externalAuthnPath | contextRelative:Authn/RemoteUser | Spring Web Flow redirection expression for the protected resource |
idp.authn.RemoteUser.matchExpression | | Regular expression to match username against |
The general properties configuring this flow via authn/authn.properties are:
Name | Default | Description |
---|
idp.authn.RemoteUser.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) |
idp.authn.RemoteUser.nonBrowserSupported | false | Whether the flow should handle non-browser request profiles (e.g., ECP) |
idp.authn.RemoteUser.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication |
idp.authn.RemoteUser.forcedAuthenticationSupported | false | Whether the flow supports forced authentication |
idp.authn.RemoteUser.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying |
idp.authn.RemoteUser.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying |
idp.authn.RemoteUser.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow |
idp.authn.RemoteUser.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow |
idp.authn.RemoteUser.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow |
idp.authn.RemoteUser.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO |
idp.authn.RemoteUser.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request |
idp.authn.RemoteUser.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization |
idp.authn.RemoteUser.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow |
idp.authn.RemoteUser.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals
property defaults to the following XML:
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>
In property form, this is expressed as (note especially the trailing commas, which MUST be there):
idp.authn.RemoteUser.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password
Flow Descriptor XML (V4.1+)
To replace the internally defined flow descriptor bean, the following XML is required:
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.RemoteUser.order:1000}"
p:nonBrowserSupported="%{idp.authn.RemoteUser.nonBrowserSupported:false}"
p:passiveAuthenticationSupported="%{idp.authn.RemoteUser.passiveAuthenticationSupported:false}"
p:forcedAuthenticationSupported="%{idp.authn.RemoteUser.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.RemoteUser.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.RemoteUser.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.RemoteUser.discoveryRequired:false}"
p:lifetime="%{idp.authn.RemoteUser.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.RemoteUser.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.RemoteUser.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.RemoteUser.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.RemoteUser.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.RemoteUser.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list>
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.
Notes
This flow is configured by default without support for non-browser profiles (namely ECP) because the RemoteUserInternal flow is a better choice for container-based authentication when a browser isn't required. It eliminates the extra redirects used by this flow. If your clients can handle the redirects and you prefer to use this flow, you can (V4.0) change or remove the nonBrowserSupported
bean property set on the flow in authn/general-authn.xml, or (V4.1+) set the idp.authn.RemoteUser.nonBrowserSupported property in authn/authn.properties.