Getting RemoteUserInternal working with a custom header

Youssef Ghorbal youssef.ghorbal at pasteur.fr
Tue Nov 10 10:43:32 EST 2015


Hello,

	I’m trying to get RemoteUserInternal working with a custom header (shibboleth.authn.RemoteUser.checkHeaders)
	The RemoteUserInternal is activated in idp.properties (idp.authn.flows and idp.authn.flows.initial)

	In authn/remoteuser-internal-authn-config.xml I have this :

    <util:list id="shibboleth.authn.RemoteUser.checkHeaders">
        <value>X-Username</value>
    </util:list>

	tcpdump shows that the header is provided to tomcat (in the HTTP request) and correcly formatted (I double checked this)

Host: idp-dev.mydomain.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://idp-dev.mydomain.com/idp/profile/SAML2/Redirect/SSO;jsessionid=844A4ED40D8D88E68559E3B98ED77835?execution=e1s1
Cookie: JSESSIONID=844A4ED40D8D88E68559E3B98ED77835; _ga=GA1.2.1032759484.1426718689; EMF_VISIT__MD_414=16DC1FD3-6319-45F6-A7AD-14EE9E3B; __utma=219899544.1032759484.1426718689.1438343929.1438343929.1; __utmz=219899544.1438343929.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
X-Username: foo
Connection: keep-alive

	But I still get :

2015-11-10 16:07:14,656 - DEBUG [net.shibboleth.idp.authn.impl.ExtractRemoteUser:160] - Profile Action ExtractRemoteUser: No user identity found in request

	I tried, for testing puposes, replacing the X-Username in authn/remoteuser-internal-authn-config.xml with a header that I’m sure always exists (I tried with the Host header for example) and with that header everything worked fine :

2015-11-10 14:50:58,415 - DEBUG [net.shibboleth.idp.authn.impl.ExtractRemoteUser:153] - Profile Action ExtractRemoteUser: User identity extracted from header host: idp-dev.mydomain.com


	The code of ExtractRemoteUser.java is quiet straight forward :

        for (String s : checkHeaders) {
            username = request.getHeader(s);
            if (username != null && !username.isEmpty()) {
                log.debug("{} User identity extracted from header {}: {}", getLogPrefix(), s, username);
                authenticationContext.getSubcontext(UsernameContext.class, true).setUsername(
                        applyTransforms(username));
                return;
            }
        }

	So either :
	- checkHeaders is empty when called (IdP is not honoring the authn/remoteuser-internal-authn-config.xml, or the list is emptied earlier in the IdP code)
	- request.getHeader returns null (or empty string), and thus the Header is either filtered out earlier in the IdP code (seems unlikely) or even in Tomcat (I can’t find anything regarding this filtering in the conf)

	Any help is needed.

Youssef


More information about the users mailing list