Remote authentication failing for IdP 3.4.6
matthew.slowe at jisc.ac.uk
Tue Aug 31 09:31:57 UTC 2021
On 2021-08-25 02:13, Mathew, Sunil wrote:
> * First, why v3?!
> We are eventually planning to move to 4.
I'd strongly suggest you start on 4.1 now rather than on an unsupported
version and upgrading from there.
> * Second, can you see the username being passed in to the IDP? You may
> have missed some bits in Tomcat's config to let it pass.
> Can you give an example of the Tomcat configuration to pass username
> to IdP?
You may not have AJP configured to accept the REMOTE_USER from Apache:
In Tomcat's server.xml:
For completeness, un Apache, probably in a vhost but it's more up to
you, you should also have:
ProxyPass /idp ajp://localhost:8009/idp
Also you'll need to protect the RemoteUser endpoint with your CAS
module. I'm not sure of how this works with CAS, but is you were using
the Shibboleth SP instead it would look like in your Apache vhost:
ShibRequestSetting requireSession 1
If you "tcpdump -Ai lo port 8009" you should be able to see the
REMOTE_USER value being sent from Apache to Tomcat.
Our guide to doing this with IdPv3 and the Shibboleth SP is still
which may give you other pointers.
Hope that helps,
Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4219 bytes
Desc: S/MIME Cryptographic Signature
More information about the users