Grouper Users - Open Discussion List

["Waldbieser, Carl" <>]

Shaun,

I found that I had to remove a bunch of "security-role" elements from the 
`web.xml` file in my grouper WAR file.  After the last "servlet-mapping" 
element, I just have this "security-role":

<security-role>
    <description>
      The role that is required to log in to the Grouper UI
    </description>
    <role-name>*</role-name>
</security-role>

I then set the the `grouper.ui.authentication.http.header` property to 
REMOTE_USER.

We also proxy behing Nginx.  I found out that nginx strips headers that have 
underscores in them. This will unfortunately strip out the OWASP_CSRF header 
that Grouper uses to protect against cross-site request-forgery attacks. To 
tell nginx to allow headers with underscores, add the following to 
/etc/nginx/nginx.conf in the http section:

  underscores_in_headers on;

We are running Grouper v2.2.2.

Hope that helps!

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

----- Original Message -----
From: "Shaun Koh" 
<>
To: 

Sent: Wednesday, June 1, 2016 4:48:26 AM
Subject: [grouper-users] [Grouper UI] - Assistance required authenticating 
via Shibboleth reverse proxy

Hi there,

I am trying to protect the Grouper UI with our SSO service (Shib) that 
reverse proxies HTTP requests to our Grouper instance on a separate host.

To date, I haven't had much success getting this to work with Grouper as the 
docs available seem to be pointed at AJP based approaches which we do not use 
at our institute.

There were a couple of mailing list entries such as 
https://lists.internet2.edu/sympa/arc/grouper-users/2014-10/msg00037.html 
that seem to address this however did not contain a clear solution or 
confirmation as to what really worked.

I am aware that there is a ` grouper.ui.authentication.http.header` attribute 
you can set in grouper-ui.properties that was added in for this purpose 
however setting that to a request header passed from SSO did not seem to do 
anything.

-          i.e. I still get an error on the UI: You have an anonymous session 
since you are not logged in, but this section requires you to be logged in. 
Maybe No username found. Your identity provider might not be sending your 
username to this application. Either you need to use a different identity 
provider, or ask your IT department to send your username to this application.

Also, I can ensure that a record of my institutional id being passed from SSO 
exists in the `subjectId` column of the `subject` table in the Grouper DB and 
is retrievable by running SubjectFinder.findById("$subjectId") in the shell.

It would be great if someone could provide a solution/set-up that worked for 
you or perhaps to point out if I am missing some config to set ? (e.g. do I 
have to edit sources.xml ?)

Thank you,
Shaun K.