Grouper Users - Open Discussion List

[Francesco Malvezzi <>]

On 05/10/22 16:50, Chad Redman wrote:
> Hi Francesco,
>
> The logic in the Grouper login code is to use the
> grouper.ui.authentication.http.header value only as a fallback in case the
> REMOTE_USER isn't set.
>
> If I understand correctly, your REMOTE_USER is set, but it's a different value
> than the uid that you want? You can try to change this in your SP's
> shibboleth2.xml so it defaults to use it.
>
>      <ApplicationDefaults entityID="https://sp.example.org/shibboleth";
>          REMOTE_USER="eppn subject-id pairwise-id persistent-id"
>
> cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
>
> The file attribute-map.xml maps the incoming oids to names, and uid is one
> mapped by default. So if you replace the defaults to REMOTE_USER="uid", I
> believe it will set the remote user for the app *IF* the idp is sending the
> uid.
>
> But if you really don't see a uid header (you may need to look at logs to
> check), check to make sure your IDP is passing it.

following the documentation at:

https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI

I assumed the logic was the opposite: first evaluate 
grouper.ui.authentication.http.header and if empty use REMOTE_USER.

If the logic is as you are writing (and it makes a lot of sense 
according to what I am experiencing), I don't see many other solutions 
short what you are suggesting,

thank you so much,

Francesco