Symfony 2.6 Shibboleth Login - The Easy Way

There was a time we had to write complicated-hard-to-maintain Shibboleth bundles to get it working with Symfony. I did as well back in the Symfony 2.4 days. Fortunately since Symfony 2.6 there is a new security firewall option called remote_user. The REMOTE_USER variable passed by the http server is actually a standard.

A lot of authentication modules, like auth_kerb for Apache provide the username using the REMOTE_USER environment variable. This variable can be trusted by the application since the authentication happened before the request reached it.

This principle is also used by Shibboleth, at least in my situation. However the passed variable names was called differently, but it still passed the username in it. Luckily Symfony has even a configuration for that. So with only a few lines of code, you replace your home-brewed-insecure bundle for well-tested-built-in Symfony option. The built-in form_login and logout options are used to redirect to the Shibboleth endpoints where the actual login and logout takes place.

// app/config/security.yml
    // ...

            pattern:   ^/

                provider: main
                # Rename this if Shibboleth uses another var
                user: REMOTE_USER

            # Use the form login to redirect to the Shibboleth login endpoint

            # Use the logout to redirect to the Shibboleth logout endpoint
                path: /logout
                invalidate_session: true


To test this in PHPUnit:


$client = static::createClient();
$this->client->request('GET', '/secure', [], [], [
    'REMOTE_USER' => 'admin'

If you want to simulate it during testing set the REMOTE_USER in .htaccess:

# Shibboleth user login. Use for testing only!
SetEnv REMOTE_USER admin