External web authentication (REMOTE_USER)¶
The NAV web UI can be made to honor the REMOTE_USER HTTP header as a means
of external authentication, by setting the appropriate options of the
[remote-user] section of webfront.conf.
The feature is enabled by setting enabled=yes in this section (A missing
section or value, or the value off is interpreted as the support being
off). When enabled, NAV will check for the HTTP header in varname (set to
REMOTE_USER by default), on every page load. If there is a string there, NAV
will attempt to use it as a username to log in with. An account will be created
if one does not already exist for that username.
REMOTE_USER (or another header) can be set by the web server hosting NAV,
and is a simple way of supporting federated logins via eg. Kerberors or SAML,
provided the web server has the necessary support/modules/plugins.
Since the password is controlled from a system externally to NAV, the user does not have access to change the password from inside NAV. If an account is set to invalid in NAV, the user will not be logged in, even if the header is set.
Workarounds for “strange” REMOTE_USER values¶
If the value set in the header is not sufficiently username-like, it can be
converted via a workaround as set in the workaround header. The only
workaround supported so far is for Feide via OpenId Connect, and you turn this
on by adding workaround = feide-oidc in the config section.
Setting specific URLs for external login/logout mechanism¶
If you want NAV to use the remote idP’s URLs for logging in and/or out, you can
set the login-url and the logout-url options in the [remote-user]
section. If the external mechanism supports redirecting the client back to the
originating site upon login/logout completion, the originating NAV URL can be
inserted using the placeholder string {}. Example:
[remote-user]
enabled=yes
login-url: https://sso.example.org/login?nexthop={}
logout-url: https://sso.example.org/logout?nexthop={}