Does anyone have experience with Shibboleth / Apache and the Products.AutoUserMakerPASPlugin? Are there any reservations or pitfalls? I use Plone 5.1.4.
@1letter did you have any success with Shibboleth under Plone 5? In particular under Plone 5.2/Python 3?
yes, it runs with the setup described above. but i patched the Products.AutoUserMakerPASPlugin.
Can you share how you send the REMOTE_USER to Plone? I've a problem, it works with Plone4 but in Plone6 (Plone5 the same I suppose) I cannot see the remote_user and shibboleth variables.
is
are available in enviroment? What i mean, your apache inject this correct?
I don't know but It does for other plone4 instances, but on Plone6 if I print the request, I can't see it.
I'm using the classic
RewriteRule ^/mysite(.*) <virtual host root versus the plone instance etc etc>$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
but when I print the request (with a pythonscript), no trace of remoteUser neither REMOTE_USER nor HTTP_X_REMOTE_USER (I don't see anything coming from the autenticated shibbolet session, just the cookie).
And I can see variables set with
RequestHeader set A_VAR: a_value
so the variables are passed.
UPDATE [SOLVED]: I've just discovered that variables starting with X_ are removed in Plone6 while they're not in Plone4. And guess, all the variables from shibboleth mapping starts with X_
I use Plone6. Our Shib Apache Plugin don't inject enviroment vars with an "X_". I don't belive that is a Zope/Plone thing. It's in front of it.
At the time I've followed the guide of webserverauth
https://github.com/collective/Products.WebServerAuth/blob/master/Products/WebServerAuth/README.txt and used the same variable name X_REMOTE_USER from the example.
I would like to improve this config, do you have a good guide or example?
UPDATE: in zope/plone6 env variables with more than a _ will be removed. It is not only X_A_VARIABLE that is removed but anything like
Here why:
Can you post the relevant part of your Apache 2.4 config? I'm tryng to understand how properly extract the remote_user. Or you use straight the shibboleth attribute which holds remote_user? REMOTE_USER is set in the Authentication phase, so it is not available when using RewriteRule.
On Pas, which plugin are you using? collective.shibboleth?
Thanks for any info.