External web authentication (REMOTE_USER)

The NAV web UI can be made to honor the REMOTE_USER HTTP header as a means of external authentication, by setting the appropriate options of the [remote-user] section of webfront.conf.

The feature is enabled by setting enabled=yes in this section (A missing section or value, or the value off is interpreted as the support being off). When enabled, NAV will check for the HTTP header in varname (set to REMOTE_USER by default), on every page load. If there is a string there, NAV will attempt to use it as a username to log in with. An account will be created if one does not already exist for that username.

REMOTE_USER (or another header) can be set by the web server hosting NAV, and is a simple way of supporting federated logins via eg. Kerberors or SAML, provided the web server has the necessary support/modules/plugins.

Since the password is controlled from a system externally to NAV, the user does not have access to change the password from inside NAV. If an account is set to invalid in NAV, the user will not be logged in, even if the header is set.

Workarounds for “strange” REMOTE_USER values

If the value set in the header is not sufficiently username-like, it can be converted via a workaround as set in the workaround header. The only workaround supported so far is for Feide via OpenId Connect, and you turn this on by adding workaround = feide-oidc in the config section.

Setting specific URLs for external login/logout mechanism

If you want NAV to use the remote idP’s URLs for logging in and/or out, you can set the login-url and the logout-url options in the [remote-user] section. If the external mechanism supports redirecting the client back to the originating site upon login/logout completion, the originating NAV URL can be inserted using the placeholder string {}. Example:

[remote-user]
enabled=yes
login-url: https://sso.example.org/login?nexthop={}
logout-url: https://sso.example.org/logout?nexthop={}