With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss),
while with Apache/2.4.6 is lost.
In the log of the application we see this error: "REMOTE_USER variable
not assigned."
Il 19/11/2015 14:02, Teresa Fasano ha scritto:
Hi,
I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth
as SSO authentication.
Routing Apache request to tomcat (JBoss) we are not able to retreive
REMOTE_USER.
It seems that the REMOTE_USER is lost.
In the configuration file shibboleth2.xml we have REMOTE_USER="uid".
The authentication of shibboleth is successful as you can see from the
logs of the identity provider and the log of the service provider:
1) IdP:
20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,|||
2) SP:
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session
(ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId:
iuav-dev2) for principal from (IdP:
https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress:
130.186.19.126) with (NameIdentifier:
_5ae86372161ba20460d91773f12241a5) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_b7a9d7435d4b2633af811cac17b80683)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the
following attributes with session (ID:
_771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) {
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]:
eduPersonTargetedID (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber
(1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: }
In the access log of the Apache I see the value of the attribute uid
(the remote_user):
130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"
The authentication of the location is:
<Location ~ "/u-gov(.*)" >
AuthType shibboleth
ShibRequireSession On
ShibExportAssertion On
require valid-user
</Location>
It seems that the Apache is unable to pass this attribute.
Is there anyone that know how to forward REMOTE_USER with mod_jk to
the application?
Regards.
Teresa
--
----------------------------------
L'educazione รจ il pane dell'anima
----------------------------------
Teresa Fasano
CINECA
System and Technologies Department
Middleware and Infrastructure Group
Via Magnanelli, 6/3
Casalecchio di Reno (Bologna) ITALY
web: http://www.cineca.it
e-mail: t.fas...@cineca.it
phone: +39 051 61 71 364
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
