Experience with Shibboleth and AutoUserMakerPASPlugin?

Does anyone have experience with Shibboleth / Apache and the Products.AutoUserMakerPASPlugin? Are there any reservations or pitfalls? I use Plone 5.1.4.

@1letter did you have any success with Shibboleth under Plone 5? In particular under Plone 5.2/Python 3?

yes, it runs with the setup described above. but i patched the Products.AutoUserMakerPASPlugin.

Can you share how you send the REMOTE_USER to Plone? I've a problem, it works with Plone4 but in Plone6 (Plone5 the same I suppose) I cannot see the remote_user and shibboleth variables.


are available in enviroment? What i mean, your apache inject this correct?

I don't know but It does for other plone4 instances, but on Plone6 if I print the request, I can't see it.

I'm using the classic

RewriteRule ^/mysite(.*) <virtual host root versus the plone instance etc etc>$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]

but when I print the request (with a pythonscript), no trace of remoteUser neither REMOTE_USER nor HTTP_X_REMOTE_USER (I don't see anything coming from the autenticated shibbolet session, just the cookie).

And I can see variables set with
RequestHeader set A_VAR: a_value
so the variables are passed.

UPDATE [SOLVED]: I've just discovered that variables starting with X_ are removed in Plone6 while they're not in Plone4. And guess, all the variables from shibboleth mapping starts with X_ :roll_eyes:

I use Plone6. Our Shib Apache Plugin don't inject enviroment vars with an "X_". I don't belive that is a Zope/Plone thing. It's in front of it.

At the time I've followed the guide of webserverauth
https://github.com/collective/Products.WebServerAuth/blob/master/Products/WebServerAuth/README.txt and used the same variable name X_REMOTE_USER from the example.

I would like to improve this config, do you have a good guide or example?

UPDATE: in zope/plone6 env variables with more than a _ will be removed. It is not only X_A_VARIABLE that is removed but anything like

Here why:


Can you post the relevant part of your Apache 2.4 config? I'm tryng to understand how properly extract the remote_user. Or you use straight the shibboleth attribute which holds remote_user? REMOTE_USER is set in the Authentication phase, so it is not available when using RewriteRule.

On Pas, which plugin are you using? collective.shibboleth?

Thanks for any info.

Plone Foundation Code of Conduct