Remote authentication failing for IdP 3.4.6

Matthew Slowe matthew.slowe at
Tue Aug 31 09:31:57 UTC 2021

On 2021-08-25 02:13, Mathew, Sunil wrote:
>   * First, why v3?! 
> We are eventually planning to move to 4.

I'd strongly suggest you start on 4.1 now rather than on an unsupported 
version and upgrading from there.

>   * Second, can you see the username being passed in to the IDP? You may
>     have missed some bits in Tomcat's config to let it pass.
>     Can you give an example of the Tomcat configuration to pass username
>     to IdP?

You may not have AJP configured to accept the REMOTE_USER from Apache:

In Tomcat's server.xml:

     <Connector port="8009"

For completeness, un Apache, probably in a vhost but it's more up to 
you, you should also have:

ProxyPass /idp ajp://localhost:8009/idp

Also you'll need to protect the RemoteUser endpoint with your CAS 
module. I'm not sure of how this works with CAS, but is you were using 
the Shibboleth SP instead it would look like in your Apache vhost:

<Location /idp/Authn/RemoteUser>
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   require shib-session

If you "tcpdump -Ai lo port 8009" you should be able to see the 
REMOTE_USER value being sent from Apache to Tomcat.

Our guide to doing this with IdPv3 and the Shibboleth SP is still 
available at 
which may give you other pointers.

Hope that helps,
Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4219 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list