Hi Jim, short answer: no, you cannot log into Syncope Console via the "simple" REMOTE_USER header, as injected by a reverse-proxy as Apache HTTPD or NGINX.
Long answer follows. When you log into Console, the credentials are used to obtain a valid JWT from Core, which allow further REST calls; and, since Console implements all its features by calling Core via REST, you can understand how much this can be fundamental. You have other options, anyway, at least two: configure Syncope Console as SAML 2.0 SP or OpenID Connect 1.0 Provider. AFAICT there is a couple of relevant blog posts: * https://www.tirasa.net/en/blog/apache-syncope-log-in-via-saml-2-0-using-apereo-cas * https://www.tirasa.net/en/blog/apache-syncope-sso-with-keycloack Hint: please ensure to have some familiarity with SAML 2.0 or OpenID Connect 1.0 concepts before getting into Syncope configurations. Regards. On 17/05/20 11:34, ohaya wrote: > Hi, > > I have been able to configure an Apache proxy in front of Syncope > (/syncope-console) running under Tomcat. I am using mod_ajp to connect the > Apache to the Tomcat that Syncope is running under and I configured an AJP > connector on that Tomcat. Also, I am able to pass a logged-in user ("admin") > in REMOTE_USER. > > I have tested with another webapp on that same Tomcat, and using that other > webapp, I have confirmed that the user that I am passing in is logged into > Tomcat itself, but with syncope-console, I still get the Syncope login form. > > From some testing, it appears that syncope-console is not leveraging the > standard Tomcat authentication mechanism and appears to be doing the logging > "into" the syncope-console app on its own. Can Syncope (/syncope-console) be > configured to accept that logged-in user automatically (i.e., "identity > assertion")? > > Thanks, > Jim -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
