How to /Authn/RemoteUser with IdP 3.0

Edwards, Wendy A wedwards at
Tue May 19 17:00:56 EDT 2015

I put something together related to IDP 3.0 ECP using REMOTE_USER and Apache-managed authentication at

From: "Kathy E. Wright" <kewrig at<mailto:kewrig at>>
Reply-To: Shib Users <users at<mailto:users at>>
Date: Saturday, May 16, 2015 at 6:00 PM
To: Shib Users <users at<mailto:users at>>
Subject: How to /Authn/RemoteUser with IdP 3.0

I cannot duplicate our current IdP 2.4 configuration which uses  /idpAuthn/RemoteUser with Apache ajp_proxy​ to delegate authentication to our campus SSO portal as described here:

In our test IdP v3, I have the following configuration:


  *   idp.authn.flows= RemoteUser
  *   idp.authn.flows.initial = RemoteUser

Logs indicate REMOTE_USER is being used:

2015-05-16 17:37:05,610 - INFO [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:135] - RemoteUserAuthServlet will process REMOTE_USER, along with attributes [] and headers []

But we get the following error:
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication will fail in the logs

From the browser we see the following error:
Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester

Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Message: An error occurred.

I've just attended the first IdP 3.0 Shib InstallFest and was unable to solve this issue during the class, although I was able to verify that our Tomcat and Apache httpd configuration (using ajp_proxy) is working correctly.

Are there other files in /opt/shibboleth-idp/ I should update or other updates we are missing?

Kathy Wright
Clemson University

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list