Need Help Configuring Shibboleth for Remote Auth

Cris Bettis cris.bettis at
Fri Dec 11 13:30:00 EST 2015

So, for clarity, the REMOTE_USER is a server level variable that I have to
set on the server in order for RemoteAuth to work, is that correct? The
documentation isn't very clear on what REMOTE_USER is.

If this is the case, I could write some code that sits on the IDP server
and does the username/password check against the database and sets the
appropriate server variable upon success so the credentials never leave the

If I were to do this, would the setup on Shibboleth as an IDP look like?
Would I be using remoteAuth to point to an end point on the same server?
Would that process then forward back to Shibboleth to complete the process?

On Fri, Dec 11, 2015 at 1:07 PM, Cantor, Scott <cantor.2 at> wrote:

> On 12/11/15, 12:48 PM, "Cantor, Scott" <cantor.2 at> wrote:
> >
> >Not unless you have already integrated that authentication process with a
> web server. You can't just redirect over and back. That's SSO, that's a
> totally different kind of approach.
> In point of fact, what you're trying to do is quite complex. You can't
> offload authentication from a web server entirely (the one running the IdP)
> without simply deploying another SSO protocol between the servers. That's
> not a simple or trivial thing to do, but if you really must do that, you'll
> probably want to use a scheme involving a simple shared secret and an HMAC
> to redirect a signed parameter containing the username back.
> Having cooked up a scheme to do it, you can either write code outside the
> IdP (a filter) to populate REMOTE_USER or a header, and use the RemoteUser
> flow, or you can build a JSP or servlet and to mediate and use the External
> flow.
> Those are your options.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list