External web authentication (REMOTE_USER)

The NAV web UI can be made to honor the REMOTE_USER HTTP header as a means of external authentication, by setting the appropriate options of the [remote-user] section of webfront.conf.

The feature is enabled by setting enabled=yes in this section (A missing section or value, or the value off is interpreted as the support being off). When enabled, NAV will check for the HTTP header in varname (set to REMOTE_USER by default), on every page load. If there is a string there, NAV will attempt to use it as a username to log in with. An account will be created if one does not already exist for that username.

REMOTE_USER (or another header) can be set by the web server hosting NAV, and is a simple way of supporting federated logins via eg. Kerberors or SAML, provided the web server has the necessary support/modules/plugins.

Since the password is controlled from a system externally to NAV, the user does not have access to change the password from inside NAV. If an account is set to invalid in NAV, the user will not be logged in, even if the header is set.

Creating users on first login

Earlier versions of this functionality created users on first login. That is no longer the case. To enable the previous behaviour, set autocreate = on in the [remote-user] section in the config-file.

With the default, which is off, it is necessary to pre-create users for them to be able to log in. This can be done from the command line with navuser, or via the web interface.

Workarounds for “strange” REMOTE_USER values

If the value set in the header is not sufficiently username-like, it can be converted via a workaround as set in the workaround header. The only workaround supported so far is for Feide via OpenId Connect, and you turn this on by adding workaround = feide-oidc in the config section.

Setting specific URLs for external login/logout mechanism

If you want NAV to use the remote idP’s URLs for logging in and/or out, you can set the login-url and the logout-url options in the [remote-user] section. If the external mechanism supports redirecting the client back to the originating site upon login/logout completion, the originating NAV URL can be inserted using the placeholder string {}. Example:

enabled = yes
login-url = https://sso.example.org/login?nexthop={}
logout-url = https://sso.example.org/logout?nexthop={}

logout-url will set the link that the logout-button points to, the default is “/index/logout”.

Some remote user systems need to be visited after NAV has logged out the user locally. The flag for that is post-logout-redirect-url.

Relevant How Tos: