How to /Authn/RemoteUser with IdP 3.0

Edwards, Wendy A wedwards at illinois.edu
Tue May 19 17:00:56 EDT 2015 

I put something together related to IDP 3.0 ECP using REMOTE_USER and Apache-managed authentication at
https://wiki.shibboleth.net/confluence/display/IDP30/IDP3+ECP+with+Tomcat+and+Apache-Managed+Authentication


From: "Kathy E. Wright" <kewrig at clemson.edu<mailto:kewrig at clemson.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Saturday, May 16, 2015 at 6:00 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: How to /Authn/RemoteUser with IdP 3.0


I cannot duplicate our current IdP 2.4 configuration which uses  /idpAuthn/RemoteUser with Apache ajp_proxy​ to delegate authentication to our campus SSO portal as described here:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser

In our test IdP v3, I have the following configuration:

/opt/shibboleth-idp/idp.properties

  *   idp.authn.flows= RemoteUser
  *   idp.authn.flows.initial = RemoteUser

Logs indicate REMOTE_USER is being used:

2015-05-16 17:37:05,610 - INFO [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:135] - RemoteUserAuthServlet will process REMOTE_USER, along with attributes [] and headers []

But we get the following error:
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication will fail in the logs

From the browser we see the following error:
Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester

Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Message: An error occurred.

I've just attended the first IdP 3.0 Shib InstallFest and was unable to solve this issue during the class, although I was able to verify that our Tomcat and Apache httpd configuration (using ajp_proxy) is working correctly.

Are there other files in /opt/shibboleth-idp/ I should update or other updates we are missing?

Best,
Kathy Wright
Clemson University




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150519/1313702f/attachment.html>

More information about the users mailing list