>> Do all of the login handlers lie behind /idp/AuthnEngine/ or /idp/Authn/ ? > > The bundled ones do, I can't speak to what you're doing. If you're using > the RemoteUser handler, then the only thing to protect is that URL. You > don't protect the AuthnEngine. Excellent! Thank you very much! Liam