Need Help Configuring Shibboleth for Remote Auth

Cantor, Scott cantor.2 at
Fri Dec 11 13:07:45 EST 2015

On 12/11/15, 12:48 PM, "Cantor, Scott" <cantor.2 at> wrote:

>Not unless you have already integrated that authentication process with a web server. You can't just redirect over and back. That's SSO, that's a totally different kind of approach.

In point of fact, what you're trying to do is quite complex. You can't offload authentication from a web server entirely (the one running the IdP) without simply deploying another SSO protocol between the servers. That's not a simple or trivial thing to do, but if you really must do that, you'll probably want to use a scheme involving a simple shared secret and an HMAC to redirect a signed parameter containing the username back.

Having cooked up a scheme to do it, you can either write code outside the IdP (a filter) to populate REMOTE_USER or a header, and use the RemoteUser flow, or you can build a JSP or servlet and to mediate and use the External flow.

Those are your options.

-- Scott

More information about the users mailing list