Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

Chronological Thread 
  • From: "Waldbieser, Carl" <>
  • To: Shaun Koh <>
  • Cc:
  • Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy
  • Date: Wed, 1 Jun 2016 14:53:10 -0400 (EDT)


I found that I had to remove a bunch of "security-role" elements from the
`web.xml` file in my grouper WAR file. After the last "servlet-mapping"
element, I just have this "security-role":

The role that is required to log in to the Grouper UI

I then set the the `grouper.ui.authentication.http.header` property to

We also proxy behing Nginx. I found out that nginx strips headers that have
underscores in them. This will unfortunately strip out the OWASP_CSRF header
that Grouper uses to protect against cross-site request-forgery attacks. To
tell nginx to allow headers with underscores, add the following to
/etc/nginx/nginx.conf in the http section:

underscores_in_headers on;

We are running Grouper v2.2.2.

Hope that helps!

Carl Waldbieser
ITS Systems Programmer
Lafayette College

----- Original Message -----
From: "Shaun Koh"

Sent: Wednesday, June 1, 2016 4:48:26 AM
Subject: [grouper-users] [Grouper UI] - Assistance required authenticating
via Shibboleth reverse proxy

Hi there,

I am trying to protect the Grouper UI with our SSO service (Shib) that
reverse proxies HTTP requests to our Grouper instance on a separate host.

To date, I haven't had much success getting this to work with Grouper as the
docs available seem to be pointed at AJP based approaches which we do not use
at our institute.

There were a couple of mailing list entries such as
that seem to address this however did not contain a clear solution or
confirmation as to what really worked.

I am aware that there is a ` grouper.ui.authentication.http.header` attribute
you can set in that was added in for this purpose
however setting that to a request header passed from SSO did not seem to do

- i.e. I still get an error on the UI: You have an anonymous session
since you are not logged in, but this section requires you to be logged in.
Maybe No username found. Your identity provider might not be sending your
username to this application. Either you need to use a different identity
provider, or ask your IT department to send your username to this application.

Also, I can ensure that a record of my institutional id being passed from SSO
exists in the `subjectId` column of the `subject` table in the Grouper DB and
is retrievable by running SubjectFinder.findById("$subjectId") in the shell.

It would be great if someone could provide a solution/set-up that worked for
you or perhaps to point out if I am missing some config to set ? (e.g. do I
have to edit sources.xml ?)

Thank you,
Shaun K.

Archive powered by MHonArc 2.6.16.

Top of Page