Need Help Configuring Shibboleth for Remote Auth

Cris Bettis cris.bettis at
Fri Dec 11 12:17:23 EST 2015

I have an existing web application that contains a table of users and
encrypted passwords.  It is written in PHP and I have full access to
program it however I need to. The passwords I need to authenticate against
are hashed using a heavy encryption algorithm that is not able to be
replicated in SQL alone.

I'd like to configure Shibboleth to hand over control to this server, allow
a user to log in and accept information back that allows it to continue the
SAML conversation it started with another SP.

Currently, it is looking like RemoteUser Authentication is the way to go

I've done the following:

Set ```idp.authn.flows = RemoteUser``` in

Commented out all non RemoteUser methods in the general-auth.xml file.

Turned Debug on.

I've updated this line in  ```conf/authn/remoteuser-authn-config.xml```
with my server's url

!-- Servlet context-relative path to wherever your implementation lives. -->

<bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class=

        c:_0="" />

The SP negotiates with Shibboleth correctly. And indeed Shibboleth will
forward to this server.  However, I cannot seem to pass back adequate
credentials in a way Shibboleth understands.

The documentation for Shibbileth IDP 3.0 (the version I'm using) is very
non-specific about this but hints that I should be able to pass back
attributes or headers containing the remote user's information to satisfy
this system.  Is there better documentation to look at or can I get some
advice on how that interface works?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list