RemoteUserInternalAuthnConfiguration

Current File(s): conf/authn/authn.properties
Format: Properties, Native Spring

1 Overview
2 General Configuration
3 Reference
4 Notes

Overview

The authn/RemoteUserInternal login flow relies on whatever container-based mechanism you have available (HTTP BASIC auth, LDAP, Kerberos, other SSO systems, etc.). It is particularly friendly to non-browser profiles such as ECP. By default, this flow is configured without support for advanced authentication controls like passive or forced authentication.

The difference between this flow and the RemoteUser flow is that this flow doesn't redirect to a protected path; rather, the path of the requested profile flow has to be protected, which will trigger as soon as the client makes its first request. This is primarily suited to the use of basic-authentication and non-browser clients, though of course this will depend on the exact mechanism involved. Using an external SSO mechanism is likely to be incompatible with non-browser clients.

The main disadvantage of using this flow for browser use cases is that it will perform the request for authentication without having a chance to determine if the request will succeed, which may be undesirable from a usability perspective.

General Configuration

Simple echoing of the extracted REMOTE_USER value requires no special settings. Other simple options are available using authn/authn.properties, many of which parallel the RemoteUser flow’s options), and some more advanced cases will require defining beans, which can be done in global.xml or an imported file.

Note for Upgraded Systems

The old file conf/authn/remoteuser-internal-authn-config.xml is now supported only for compatibility and generally not installed or needed going forward. In the rare case that beans may be needed, they can be defined in global.xml.

Reference

The following beans may be defined in global.xml:

Bean ID	Type	Description

Bean ID	Type	Description
shibboleth.authn.RemoteUserInternal.Transforms	List<Pair<String,String>>	Pairs of regular expressions and replacement expressions to apply to the username
shibboleth.authn.RemoteUserInternal.resultCachingPredicate	Predicate<ProfileRequestContext>	An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
shibboleth.authn.RemoteUserInternal.ClassifiedMessageMap	Map<String,Collection<String>>	Optional remapping of exception messages or events into specific Spring Web Flow events.

The flow-specific properties usable via authn/authn.properties are:

Name	Default	Description

Name	Default	Description
idp.authn.RemoteUserInternal.checkRemoteUser	true	Whether to check REMOTE_USER for a username
idp.authn.RemoteUserInternal.checkAttributes		Comma-delimited lists of request attributes to check for a username
idp.authn.RemoteUserInternal.checkHeaders		Comma-delimited list of request headers to check for a username
idp.authn.RemoteUserInternal.trim	true	Whether to trim leading and trailing whitespace from the username before validating it
idp.authn.RemoteUserInternal.lowercase	false	Whether to lowercase the username before validating it
idp.authn.RemoteUserInternal.uppercase	false	Whether to uppercase the username before validating it
idp.authn.RemoteUserInternal.matchExpression		A regular expression that must match the username
idp.authn.RemoteUserInternal.allowedUsernames		Comma-delimited list of usernames to accept (blocking all others)
idp.authn.RemoteUserInternal.deniedUsernames		Comma-delimited list of usernames to deny (accepting all others)

The general properties configuring this flow via authn/authn.properties are:

Name	Default	Description

Name	Default	Description
idp.authn.RemoteUserInternal.order	1000	Flow priority relative to other enabled login flows (lower is "higher" in priority)
idp.authn.RemoteUserInternal.nonBrowserSupported	true	Whether the flow should handle non-browser request profiles (e.g., ECP)
idp.authn.RemoteUserInternal.passiveAuthenticationSupported	false	Whether the flow allows for passive authentication
idp.authn.RemoteUserInternal.forcedAuthenticationSupported	false	Whether the flow supports forced authentication
idp.authn.RemoteUserInternal.proxyRestrictionsEnforced	%{idp.authn.enforceProxyRestrictions:true}	Whether the flow enforces upstream IdP-imposed restrictions on proxying
idp.authn.RemoteUserInternal.proxyScopingEnforced	false	Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying
idp.authn.RemoteUserInternal.discoveryRequired	false	Whether to invoke IdP-discovery prior to running flow
idp.authn.RemoteUserInternal.lifetime	%{idp.authn.defaultLifetime:PT1H}	Lifetime of results produced by this flow
idp.authn.RemoteUserInternal.inactivityTimeout	%{idp.authn.defaultTimeout:PT30M}	Inactivity timeout of results produced by this flow
idp.authn.RemoteUserInternal.reuseCondition	shibboleth.Conditions.TRUE	Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO
idp.authn.RemoteUserInternal.activationCondition	shibboleth.Conditions.TRUE	Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request
idp.authn.RemoteUserInternal.subjectDecorator		Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization
idp.authn.RemoteUserInternal.supportedPrincipals	(see below)	Comma-delimited list of protocol-specific Principal strings associated with flow
idp.authn.RemoteUserInternal.addDefaultPrincipals	true	Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML:

<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>

In property form, this is expressed as (note especially the trailing commas, which MUST be there):

idp.authn.RemoteUserInternal.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password

To replace the internally defined flow descriptor bean, the following XML is required:

<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.RemoteUserInternal.order:1000}"
            p:nonBrowserSupported="%{idp.authn.RemoteUserInternal.nonBrowserSupported:true}"
            p:passiveAuthenticationSupported="%{idp.authn.RemoteUserInternal.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.RemoteUserInternal.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.RemoteUserInternal.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.RemoteUserInternal.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.RemoteUserInternal.discoveryRequired:false}"
            p:lifetime="%{idp.authn.RemoteUserInternal.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.RemoteUserInternal.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.RemoteUserInternal.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.RemoteUserInternal.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator="#{getObject('%{idp.authn.RemoteUserInternal.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.RemoteUserInternal.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V5, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

Notes

The beans and properties governing this feature have evolved over the years and the documentation above is canonical for this release. Many older variants, which may include RemoteUser instead of RemoteUserInternal in the name, remain supported for compatibility but are no longer documented here.