Experience with Shibboleth and AutoUserMakerPASPlugin?

Does anyone have experience with Shibboleth / Apache and the Products.AutoUserMakerPASPlugin? Are there any reservations or pitfalls? I use Plone 5.1.4.

@1letter did you have any success with Shibboleth under Plone 5? In particular under Plone 5.2/Python 3?

yes, it runs with the setup described above. but i patched the Products.AutoUserMakerPASPlugin.

Can you share how you send the REMOTE_USER to Plone? I've a problem, it works with Plone4 but in Plone6 (Plone5 the same I suppose) I cannot see the remote_user and shibboleth variables.

is

are available in enviroment? What i mean, your apache inject this correct?

I don't know but It does for other plone4 instances, but on Plone6 if I print the request, I can't see it.

I'm using the classic

RewriteRule ^/mysite(.*) <virtual host root versus the plone instance etc etc>$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]

but when I print the request (with a pythonscript), no trace of remoteUser neither REMOTE_USER nor HTTP_X_REMOTE_USER (I don't see anything coming from the autenticated shibbolet session, just the cookie).

And I can see variables set with
RequestHeader set A_VAR: a_value
so the variables are passed.

UPDATE [SOLVED]: I've just discovered that variables starting with X_ are removed in Plone6 while they're not in Plone4. And guess, all the variables from shibboleth mapping starts with X_ :roll_eyes:

I use Plone6. Our Shib Apache Plugin don't inject enviroment vars with an "X_". I don't belive that is a Zope/Plone thing. It's in front of it.

At the time I've followed the guide of webserverauth
https://github.com/collective/Products.WebServerAuth/blob/master/Products/WebServerAuth/README.txt and used the same variable name X_REMOTE_USER from the example.

I would like to improve this config, do you have a good guide or example?

UPDATE: in zope/plone6 env variables with more than a _ will be removed. It is not only X_A_VARIABLE that is removed but anything like

Here why:

http://httpd.apache.org/docs/trunk/env.html#fixheader

Can you post the relevant part of your Apache 2.4 config? I'm tryng to understand how properly extract the remote_user. Or you use straight the shibboleth attribute which holds remote_user? REMOTE_USER is set in the Authentication phase, so it is not available when using RewriteRule.

On Pas, which plugin are you using? collective.shibboleth?

Thanks for any info.