The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

RemoteUser Submodule Configuration

Owned by Former user (Deleted)
Last updated: Nov 07, 2013Version comment
2 min read

The MCB supports the use of a Remote User authentication handler just as the base Shibboleth does. In order to configure the MCB to support this, you must add a bean to the mcb-spring.xml file:

    <!-- This bean represents an authentication submodule -->
    <bean id="mcb.usernamepasswordsilver" class="edu.internet2.middleware.assurance.mcb.authn.provider.RemoteUserSubmodule">
        <constructor-arg index="0" value="/Authn/MCB/RemoteUser" />
    </bean>

The constructor argument is where the MCB will redirect the browser to for authentication. It is the location where your externally based authentication will take place.

Once you have authenticated the user and set the web container REMOTE_USER value to the login ID of the user, then that information has to get back to the MCB to make use of it. This is handled by mapping the MCB servlet to the same path in the main web.xml file:

    <!-- Servlet for MCB Authentication -->
    <servlet>
        <servlet-name>MCBLoginServlet</servlet-name>
        <servlet-class>edu.internet2.middleware.assurance.mcb.authn.provider.MCBLoginServlet</servlet-class>
        <load-on-startup>3</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>MCBLoginServlet</servlet-name>
        <url-pattern>/Authn/MCB</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>MCBLoginServlet</servlet-name>
        <url-pattern>/Authn/MCB/RemoteUser</url-pattern>
    </servlet-mapping>

So once your authentication process has completed, control will pass back to the MCB servlet which will pull the REMOTE_USER value and process normally from there.

Caveats

  • RemoteUser cannot reliably support forced authentication handling since the MCB cannot convey that information to your authentication mechanism. You can mimic the behavior by having the session time of your mechanism be very short. So essentially every time a user is sent to you for authentication, you authenticate them. The MCB will maintain the session and send the user through authentication if forced authentication is requested.