Delegating Shib IDP authentication to an external CGI

[Jim Fox]

> We are currently using RemoteUser for IDP authentication.  Unfortunately, the underlying SSO is Pubcookie, which has not been supported for years.

We are near the end of a transition from Pubcookie and remoteuser authentication to the native Password flow.
It has been remarkably easy.  And that includes porting our support of multiple 2nd factors (Entrust and Duo) 
and the stripping of all those '@whatevers' that people add to their ids.  We ask for netid and they enter their email. 
Thank you Scott for that Password.Transforms bean.

Unless you've done some complete rewrite of pubcookie I think transitioning to native Password flow is the easiest and best way to go.

Jim