Need Help Configuring Shibboleth for Remote Auth
Cris Bettis
cris.bettis at bettercarpeople.com
Fri Dec 11 13:30:00 EST 2015
So, for clarity, the REMOTE_USER is a server level variable that I have to
set on the server in order for RemoteAuth to work, is that correct? The
documentation isn't very clear on what REMOTE_USER is.
If this is the case, I could write some code that sits on the IDP server
and does the username/password check against the database and sets the
appropriate server variable upon success so the credentials never leave the
server.
If I were to do this, would the setup on Shibboleth as an IDP look like?
Would I be using remoteAuth to point to an end point on the same server?
Would that process then forward back to Shibboleth to complete the process?
On Fri, Dec 11, 2015 at 1:07 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 12/11/15, 12:48 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
>
> >
> >Not unless you have already integrated that authentication process with a
> web server. You can't just redirect over and back. That's SSO, that's a
> totally different kind of approach.
>
> In point of fact, what you're trying to do is quite complex. You can't
> offload authentication from a web server entirely (the one running the IdP)
> without simply deploying another SSO protocol between the servers. That's
> not a simple or trivial thing to do, but if you really must do that, you'll
> probably want to use a scheme involving a simple shared secret and an HMAC
> to redirect a signed parameter containing the username back.
>
> Having cooked up a scheme to do it, you can either write code outside the
> IdP (a filter) to populate REMOTE_USER or a header, and use the RemoteUser
> flow, or you can build a JSP or servlet and to mediate and use the External
> flow.
>
> Those are your options.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151211/1e2b3da5/attachment.html>
More information about the users
mailing list