External web authentication (REMOTE_USER)
The NAV web UI can be made to honor the REMOTE_USER HTTP header as a means
of external authentication, by setting the appropriate options of the
[remote-user] section of webfront.conf.
The feature is enabled by setting enabled=yes in this section (A missing
section or value, or the value off is interpreted as the support being
off). When enabled, NAV will check for the HTTP header in varname (set to
REMOTE_USER by default), on every page load. If there is a string there, NAV
will attempt to use it as a username to log in with. An account will be created
if one does not already exist for that username.
REMOTE_USER (or another header) can be set by the web server hosting NAV,
and is a simple way of supporting federated logins via eg. Kerberors or SAML,
provided the web server has the necessary support/modules/plugins.
Since the password is controlled from a system externally to NAV, the user does not have access to change the password from inside NAV. If an account is set to invalid in NAV, the user will not be logged in, even if the header is set.
Creating users on first login
Earlier versions of this functionality created users on first login. That is no
longer the case. To enable the previous behaviour, set autocreate = on in
the [remote-user] section in the config-file.
With the default, which is off, it is necessary to pre-create users for
them to be able to log in. This can be done from the command line with
navuser, or via the web interface.
Workarounds for “strange” REMOTE_USER values
If the value set in the header is not sufficiently username-like, it can be
converted via a workaround as set in the workaround header. The only
workaround supported so far is for Feide via OpenId Connect, and you turn this
on by adding workaround = feide-oidc in the config section.
Setting specific URLs for external login/logout mechanism
If you want NAV to use the remote idP’s URLs for logging in and/or out, you can
set the login-url and the logout-url options in the [remote-user]
section. If the external mechanism supports redirecting the client back to the
originating site upon login/logout completion, the originating NAV URL can be
inserted using the placeholder string {}. Example:
[remote-user]
enabled = yes
login-url = https://sso.example.org/login?nexthop={}
logout-url = https://sso.example.org/logout?nexthop={}
logout-url will set the link that the logout-button points to, the default
is “/index/logout”.
Some remote user systems need to be visited after NAV has logged out the
user locally. The flag for that is post-logout-redirect-url.