Need Help Configuring Shibboleth for Remote Auth

Cantor, Scott cantor.2 at
Fri Dec 11 13:36:49 EST 2015

On 12/11/15, 1:30 PM, "users on behalf of Cris Bettis" <users-bounces at on behalf of cris.bettis at> wrote:

>So, for clarity, the REMOTE_USER is a server level variable that I have to set on the server in order for RemoteAuth to work, is that correct? The documentation isn't very clear on what REMOTE_USER is.

REMOTE_USER is a concept that was created twenty years ago as part of the original CGI spec. It's assumed knowledge.

>If this is the case, I could write some code that sits on the IDP server and does the username/password check against the database and sets the appropriate server variable upon success so the credentials never leave the server.

If all you need is code to validate a password, then write a JAAS module and plug it into the existing system. You can't check a password without a UI to collect it, error reporting, etc., so you're talking about a much bigger task than just checking the password.

>If I were to do this, would the setup on Shibboleth as an IDP look like?  Would I be using remoteAuth to point to an end point on the same server? Would that process then forward back to Shibboleth to complete the process?

If you want to do all of it yourself, then you're talking about the External flow, and that's documented in the wiki, along with many past threads discussing it in the archive. It requires a colocated servlet or JSP, either self-contained or mediating.

-- Scott

More information about the users mailing list