RemoteUserInternalAuthnConfiguration

Current File(s): conf/authn/remoteuser-internal-authn-config.xml, conf/authn/authn.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)

Overview

The authn/RemoteUserInternal login flow relies on whatever container-based mechanism you have available (HTTP BASIC auth, LDAP, Kerberos, other SSO systems, etc.). It is particularly friendly to non-browser profiles such as ECP. By default, this flow is configured without support for advanced authentication controls like passive or forced authentication.

The difference between this flow and the RemoteUser flow is that this flow doesn't redirect to a protected path; rather, the path of the requested profile flow has to be protected, which will trigger as soon as the client makes its first request. This is primarily suited to the use of basic-authentication and non-browser clients, though of course this will depend on the exact mechanism involved. Using a second SSO mechanism is likely to be incompatible with non-browser clients.

The main disadvantage of using this flow for browser use cases is that it will perform the request for authentication without having a chance to determine if the request will succeed, which may be undesirable from a usability perspective.

Enabling Module (V4.1+)

For V4.1+, configuring and using this feature requires that you first enable the "RemoteUserInternal" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

1 2 3 4 5 (Windows) C:\opt\shibboleth-idp> bin\module.bat -t RemoteUserInternal || bin\module.bat -e RemoteUserInternal (Other) $ bin/module.sh -t RemoteUserInternal || bin/module.sh -e RemoteUserInternal

General Configuration

Use authn/remoteuser-internal-authn-config.xml to configure this flow. Various beans are defined to control how the user identity is extracted from the HTTP request, various transforms to perform on the resulting name prior to final evaluation, and rules for evaluating the name, such as allow/deny lists, or a matching expression. Simple echoing of the extracted REMOTE_USER value requires no changes. See the reference below for a complete list.

Simple echoing of the extracted REMOTE_USER value requires no special settings. Other simple options are available using authn/authn.properties, and some more advanced cases will require defining/adjusting bean definitions in authn/remoteuser-internal-authn-config.xml

Reference

The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml:

Bean ID

Type

Default

Description

Bean ID

Type

Default

Description

shibboleth.authn.RemoteUser.checkRemoteUser

Boolean

true

Whether to check REMOTE_USER for a username

shibboleth.authn.RemoteUser.checkAttributes

List<String>



A list of servlet request attributes to check for a username

shibboleth.authn.RemoteUser.checkHeaders

List<String>



A list of request headers to check for a username

shibboleth.authn.RemoteUser.Lowercase

Boolean

false

Whether to lowercase the username

shibboleth.authn.RemoteUser.Uppercase

Boolean

false

Whether to uppercase the username

shibboleth.authn.RemoteUser.Trim

Boolean

true

Whether to trim leading and trailing whitespace from the username

shibboleth.authn.RemoteUser.Transforms

List<Pair<String,String>>



Pairs of regular expressions and replacement expressions to apply to the username

shibboleth.authn.RemoteUser.whitelistedUsernames

List<String>



A list of usernames to accept (blocking all others)

shibboleth.authn.RemoteUser.blacklistedUsernames

List<String>



A list of usernames to reject (accepting all others)

shibboleth.authn.RemoteUser.matchExpression

Pattern



A regular expression that must match the username

shibboleth.authn.RemoteUser.resultCachingPredicate

Predicate<ProfileRequestContext>



An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

shibboleth.authn.RemoteUser.addDefaultPrincipals

Boolean

true

Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject

The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml:

Bean ID

Type

Description

Bean ID

Type

Description

shibboleth.authn.RemoteUser.Transforms

List<Pair<String,String>>

Pairs of regular expressions and replacement expressions to apply to the username

shibboleth.authn.RemoteUser.resultCachingPredicate

Predicate<ProfileRequestContext>

An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

The flow-specific properties usable via authn/authn.properties are:

Name

Default

Description

Name

Default

Description

idp.authn.RemoteUserInternal.checkRemoteUser

true

Whether to check REMOTE_USER for a username

idp.authn.RemoteUserInternal.checkAttributes

 

Comma-delimited lists of request attributes to check for a username

idp.authn.RemoteUserInternal.checkHeaders

 

Comma-delimited list of request headers to check for a username

idp.authn.RemoteUserInternal.trim

true

Whether to trim leading and trailing whitespace from the username before validating it

idp.authn.RemoteUserInternal.lowercase

false

Whether to lowercase the username before validating it

idp.authn.RemoteUserInternal.uppercase

false

Whether to uppercase the username before validating it

idp.authn.RemoteUserInternal.matchExpression

 

A regular expression that must match the username

idp.authn.RemoteUserInternal.allowedUsernames

 

Comma-delimited list of usernames to accept (blocking all others)

idp.authn.RemoteUserInternal.deniedUsernames

 

Comma-delimited list of usernames to deny (accepting all others)

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

Name

Default

Description

idp.authn.RemoteUserInternal.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.RemoteUserInternal.nonBrowserSupported

true

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.RemoteUserInternal.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.RemoteUserInternal.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.RemoteUserInternal.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.RemoteUserInternal.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.RemoteUserInternal.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.RemoteUserInternal.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.RemoteUserInternal.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.RemoteUserInternal.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.RemoteUserInternal.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.RemoteUserInternal.subjectDecorator

 

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.RemoteUserInternal.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.RemoteUserInternal.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML:

1 2 3 4 5 6 7 8 <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> </list>

In property form, this is expressed as (note especially the trailing commas, which MUST be there):

1 2 3 4 idp.authn.RemoteUserInternal.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ saml1/urn:oasis:names:tc:SAML:1.0:am:password

To replace the internally defined flow descriptor bean, the following XML is required:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <util:list id="shibboleth.AvailableAuthenticationFlows"> <bean p:id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" p:order="%{idp.authn.RemoteUserInternal.order:1000}" p:nonBrowserSupported="%{idp.authn.RemoteUserInternal.nonBrowserSupported:true}" p:passiveAuthenticationSupported="%{idp.authn.RemoteUserInternal.passiveAuthenticationSupported:false}" p:forcedAuthenticationSupported="%{idp.authn.RemoteUserInternal.forcedAuthenticationSupported:false}" p:proxyRestrictionsEnforced="%{idp.authn.RemoteUserInternal.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}" p:proxyScopingEnforced="%{idp.authn.RemoteUserInternal.proxyScopingEnforced:false}" p:discoveryRequired="%{idp.authn.RemoteUserInternal.discoveryRequired:false}" p:lifetime="%{idp.authn.RemoteUserInternal.lifetime:%{idp.authn.defaultLifetime:PT1H}}" p:inactivityTimeout="%{idp.authn.RemoteUserInternal.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}" p:reuseCondition-ref="#{'%{idp.authn.RemoteUserInternal.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}" p:activationCondition-ref="#{'%{idp.authn.RemoteUserInternal.activationCondition:shibboleth.Conditions.TRUE}'.trim()}" p:subjectDecorator-ref="#{getObject('%{idp.authn.RemoteUserInternal.subjectDecorator:}'.trim())}"> <property name="supportedPrincipalsByString"> <bean parent="shibboleth.CommaDelimStringArray" c:_0="#{'%{idp.authn.RemoteUserInternal.supportedPrincipals:}'.trim()}" /> </property> </bean> </util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.