Need help with shibboleth.authn.RemoteUser.externalAuthnPathStrategy

Losen, Stephen C. (scl) scl at
Mon Feb 12 08:02:17 EST 2018

Hi folks,

I would like to upgrade from Shib IDP 3.2.1 to IDP 3.3.2 and to do this I need to configure a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy" in conf/authn/remoteuser-authn-config.xml

I fear I am terribly out of my element here.  According to comments in the XML file (which basically repeat the Wiki instructions):

    <!-- Servlet context-relative path to wherever your implementation lives. -->
    <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
        c:_0="contextRelative:Authn/RemoteUser" />

    Default is to always use the path in the bean above. If you want to determine it
    dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
    of type Function<ProfileRequestContext,String> that returns the path to use.

I have configured a few of our SPs to include a special AuthnContextClassRef value in the SAML Auth Request.  Depending on this AC I would like to redirect the browser to a URL other than Authn/RemoteUser.  This other URL will have a slightly different config for the underlying SSO system accessed via "remoteuser".

OK, so I need to create a bean with id="shibboleth.authn.RemoteUser.externalAuthnPathStrategy" and I presume this bean needs to be a script of some sort that receives as input a "ProfileRequestContext".  Somehow the script must drill down into this to get the AuthenticationContext.  From scouring the wiki and IDP config files, looking for example code, I suspect that the script will do this:

authCtx = input.getSubContext("net.shibboleth.idp.authn.context.AuthenticationContext");

And then it probably needs to drill even deeper.

Also I'm not clear on how to define the bean to be a script.  Something like this?

<bean id="shibboleth.authn.RemoteUser.externalAuthnPathStrategy" factory-method="inlineScript">

// script code


And it looks like the input argument to the script is in a variable named "input" that is of type ProfileRequestContext.

My script will return "contextRelative:Authn/RemoteUser" under most circumstances and will return something else only if the SAML Auth Request specifies a particular AC value.

Can anyone provide any more details, or perhaps point me to some documentation or example code?


Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

More information about the users mailing list