How to /Authn/RemoteUser with IdP 3.0

Kathy E. Wright kewrig at
Sat May 16 19:00:47 EDT 2015

I cannot duplicate our current IdP 2.4 configuration which uses
*/idpAuthn/RemoteUser *with Apache ajp_proxy​ to delegate authentication to
our campus SSO portal as described here:

In our test IdP v3, I have the following configuration:

   - idp.authn.flows= RemoteUser
   - idp.authn.flows.initial = RemoteUser

Logs indicate REMOTE_USER is being used:

2015-05-16 17:37:05,610 - INFO
[net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:135] -
RemoteUserAuthServlet will process REMOTE_USER, along with attributes []
and headers []

But we get the following error:
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile
Action SelectAuthenticationFlow: No potential flows left to choose from,
authentication will fail in the logs

>From the browser we see the following error:
Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester

Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Message: An error occurred.

I've just attended the first IdP 3.0 Shib InstallFest and was unable to
solve this issue during the class, although I was able to verify that our
Tomcat and Apache httpd configuration (using ajp_proxy) is working

Are there other files in /opt/shibboleth-idp/ I should update or other
updates we are missing?

Kathy Wright
Clemson University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list