How to configure multiple RemoteUser Auth URLs on IDP v3 ?

Losen, Stephen C. (scl) scl at eservices.virginia.edu
Fri Apr 29 08:29:26 EDT 2016 

Hi folks,

In case anyone finds this useful, I configured a second RemoteUser auth method into IDP 3.2.1. I basically copied all the configs I could find for RemoteUser in whatever files I found them. Forgive me if this wasn't the best way to do it, but it worked for me.

Unfortunately, some changes were required under the sacred "system" folder that one should never touch.  So be sure to save your changes before upgrading or reinstalling the IDP.  This procedure probably depends on implementation details in IDP 3.2.1 and may not work with other releases.

File paths are relative to the IDP home (usually /opt/shibboleth-idp).

I added this section to edit-webapp/WEB-INF/web.xml  Note that I am using Apache httpd as a reverse HTTP proxy, passing REMOTE_USER in a HTTP header called "X-Remote-User", hence the <init-param> sections.

<servlet>
        <servlet-name>RemoteUserEnhancedAuthHandler</servlet-name>
        <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
        <init-param>
            <param-name>checkHeaders</param-name>
            <param-value>X-Remote-User</param-value>
        </init-param>
        <init-param>
            <param-name>checkRemoteUser</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>RemoteUserEnhancedAuthHandler</servlet-name>
        <url-pattern>/Authn/EnhancedNetBadge</url-pattern>
    </servlet-mapping>

I rebuilt the war/idp.war file with bin/build.sh (remembering to hit enter at the rather deceptive prompt.)

I copied system/flows/authn/remoteuser-authn-flow.xml to system/flows/authn/remoteuser-enhanced-authn-flow.xml and made these changes to the new file:

I changed "RemoteUser" to "RemoteUserEnhanced"

I changed "remoteuser-authn-beans.xml" to "remoteuser-enhanced-authn-beans.xml"

I copied system/flows/authn/remoteuser-authn-beans.xml to system/flows/authn/remoteuser-enhanced-authn-beans.xml and made these changes to the new file:

I changed all occurrences of "RemoteUser" to "RemoteUserEnhanced"

I changed "remoteuser-authn-config.xml" to "remoteuser-enhanced-authn-config.xml"

I added this line to system/conf/webflow-config.xml below the other Login methods:

<webflow:flow-location id="authn/RemoteUserEnhanced" path="../system/flows/authn/remoteuser-enhanced-authn-flow.xml" />

I modified idp.authn.flows in conf/idp.properties 

idp.authn.flows= RemoteUser|RemoteUserEnhanced

I added this section to conf/authn/general-authn.xml near the <bean id="authn/RemoteUser" section

<bean id="authn/RemoteUserEnhanced" parent="shibboleth.AuthenticationFlow"
                p:nonBrowserSupported="false" >
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:EnhancedNetBadge" />
                </list>
            </property>
        </bean>

(Sorry for squatting on someone else's namespace, will deal with that later.)

I copied conf/authn/remoteuser-authn-config.xml to conf/authn/remoteuser-enhanced-authn-config.xml and made these changes to the new file:

changed "contextRelative:Authn/RemoteUser" to "contextRelative:Authn/EnhancedNetBadge"

changed all OTHER occurrences of "RemoteUser" to "RemoteUserEnhanced"

In the config for Apache httpd I configured our "enhanced" SSO login method with

<Location /idp/Authn/EnhancedNetBadge>
   ...
</Location>

Whew!

I have submitted a request to issues.shibboleth.net to allow RemoteUser to be configured on multiple URLs which the SP can select via Auth Context Class (the entire point of the above exercise).  I see it has been assigned to Scott Cantor. Eagerly looking forward to IDP 3.3.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, April 20, 2016 6:56 PM
To: Shib Users
Subject: Re: How to configure multiple RemoteUser Auth URLs on IDP v3 ?

On 4/20/16, 6:32 PM, "users on behalf of Losen, Stephen C. (scl)" <users-bounces at shibboleth.net on behalf of scl at eservices.virginia.edu> wrote:



>Here is how I set up "enhanced" login on IDP v2 in handler.xml

There is no direct equivalent, and it isn't really something you can do easily without learning at least some minimal Spring Web Flow to be able to copy and adapt the existing flows. It's mostly cut and paste more than really learning it, but it isn't trivial.

>We configured the app on the SP to request the AC class
>urn:oasis:names:tc:SAML:2.0:ac:classes:EnhancedNetBadge

Aside from your question, that's inappropriate, you can't create URNs in a namespace you don't own, and you don't own that namespace.

>I've been reading the IDP v3 wiki and am having trouble figuring out how to do this.  Obviously I need to configure webapp/WEB-INF/web.xml but I don't think I can specify the AC class in that file.  Maybe somewhere under conf/authn ?

Separating this into two parts, if you establish multiple login flows to use, you associate those flows in the configuration with a set of supportedPrincipals that include the AuthnContextClassRef values that a given flow supports, and then the system will mostly do the right things automatically to decide which one(s) to use for a request.

The documentation attempts to cover most of that in the AuthenticationConfiguration and AuthenticationFlowSelection topics.

The other part is the problem. There is no second flow for you to enable and associate with the other context class Principal, because the RemoteUser flow is only able to use a single URL. What you have to do is copy it and create a separate version with different settings under a different flow ID. There's not really any documentation on that, and the end result is somewhat of a layer violation because it will end up relying on implementation details that could change, so it's a problematic approach.

There isn't much to the RemoteUser flow, and it can copied easily enough into a user flow in flows/authn/ and then you can make changes to, e.g. the servlet path that it's redirecting to, along with the corresponding additions to web.xml.

One way around that is to adapt the existing External login flow, as is, and configure it to serve as your second/special flow. The RemoteUser flow is really just a specialization of External. If you configure the External flow's redirect to a copy of the RemoteUser auth servlet running at a separate path, that would be a way to end up with a second copy of the RemoteUser flow without actually having to create it yourself.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list