Remote User
Shibboleth is now telling our application the "identity" of the athenticated user, so we're good to go: based on that, we can log them into our own authentication service and serve them the correct content.

The identity we receive turns out to be very flexible. In the service provider's shibboleth2.xml you can nominate a list of options in the REMOTE_USER attribute:

REMOTE_USER="affiliation eppn persistent-id targeted-id"

and the first available attribute in the list is set as your request's REMOTE_USER. Attributes are available if they have been supplied by the IdP and are defined in the SP's attribute-map.xml.

We can then pull the supplied ID out in Tomcat with:

s_logger.info("Remote user: "
                  + hsreq.getRemoteUser());

so we'll aim to package up the eduPersonScopedAffiliation attribute as the REMOTE_USER and check for a known scope to identify the institution.

T

Labels: config, shibboleth

- posted by Tim Bruce @ 2:29 PM