REMOTE USER Authentication: Difference between revisions

From VoIPmonitor.org
(Explicitly mention Azure AD as supported OIDC provider)
(Create: REMOTE_USER SSO authentication documentation)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:REMOTE_USER Authentication (External Web Server Auth)}}
{{DISPLAYTITLE:REMOTE_USER Authentication (SSO)}}
__TOC__
[[Category:Configuration]]
[[Category:Authentication]]


== Overview ==
= REMOTE_USER Authentication =


VoIPmonitor GUI can integrate with external authentication systems via the '''REMOTE_USER''' server variable. This allows you to use any Apache authentication module that performs user authentication and passes the authenticated username to the application.
REMOTE_USER authentication allows VoIPmonitor GUI to integrate with external Single Sign-On (SSO) systems like '''Shibboleth''', '''CAS''', '''Kerberos''', or any web server authentication module that sets the <code>REMOTE_USER</code> environment variable.
 
'''Important:''' The GUI does not implement authentication protocols like Shibboleth, SAML, or OpenID Connect directly. Instead, your web server (Apache) handles all authentication, and the GUI simply reads the resulting username from the REMOTE_USER variable.
 
{| class="wikitable"
|-
! Component !! Role
|-
| Apache module || Handles authentication (redirects, token validation, session management)
|-
| REMOTE_USER variable || Contains authenticated username after successful login
|-
| VoIPmonitor GUI || Reads REMOTE_USER and maps it to GUI user for permissions
|}
 
== Supported Apache Modules ==
 
Any Apache module that sets the REMOTE_USER variable can be used:
 
{| class="wikitable"
|-
! Module !! Protocol !! Use Case
|-
| mod_shib || Shibboleth/SAML 2.0 || Enterprise/academic SSO federations
|-
| mod_auth_openidc || OpenID Connect || OAuth 2.0/OIDC identity providers (Azure AD/Entra ID, Keycloak, Okta, Google, etc.)
|-
| mod_auth_mellon || SAML 2.0 || SAML-based identity providers
|-
| mod_auth_basic || HTTP Basic Auth || Testing and simple setups
|-
| mod_auth_kerb || Kerberos || Active Directory/Windows domain authentication
|}


== How It Works ==
== How It Works ==


The authentication flow:
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart LR
    U[User] --> WS[Web Server<br/>Apache/Nginx]
    WS -->|mod_shib<br/>mod_auth_kerb<br/>mod_auth_cas| IDP[Identity Provider]
    IDP -->|Auth Success| WS
    WS -->|REMOTE_USER=username| PHP[PHP<br/>custom_login.php]
    PHP --> VM[VoIPmonitor GUI]
</kroki>


# User accesses VoIPmonitor GUI URL
# User accesses VoIPmonitor GUI
# Apache module intercepts request and redirects to identity provider (if not authenticated)
# Web server intercepts and redirects to Identity Provider
# User authenticates with identity provider
# User authenticates with IdP (Shibboleth, AD, LDAP, etc.)
# Identity provider returns success to Apache module
# Web server sets <code>$_SERVER['REMOTE_USER']</code> with authenticated username
# Apache module sets REMOTE_USER server variable with username
# VoIPmonitor's <code>custom_login.php</code> script reads this value and maps to GUI user
# VoIPmonitor GUI reads REMOTE_USER and uses it as login name
# GUI looks up user in its database for permissions
# If user not found, GUI uses the default REMOTE_USER account (if configured)
 
== Prerequisites ==
 
* Web server with authentication module installed and configured (Apache with mod_shib, mod_auth_openidc, etc.)
* Authentication module configured to protect the GUI directory/location
* Authentication module configured to pass username via REMOTE_USER
* GUI users created for each authenticated user, OR a default REMOTE_USER account configured
 
'''Note:''' Configuring the Apache authentication module itself is beyond the scope of this documentation. Refer to your specific module's documentation:
* [https://shibboleth.atlassian.net/wiki/spaces/SP3/overview Shibboleth SP documentation]
* [https://github.com/OpenIDC/mod_auth_openidc mod_auth_openidc documentation]
* [https://github.com/latchset/mod_auth_mellon mod_auth_mellon documentation]


== Configuration ==
== Configuration ==


=== Step 1: Enable REMOTE_USER Authentication ===
=== Step 1: Configure Web Server Authentication ===


# Navigate to '''GUI > Settings > System Configuration'''
Configure your web server to protect the VoIPmonitor directory and set REMOTE_USER. Example for '''Apache with Shibboleth''':
# Find the option '''Use Shibboleth/REMOTE_USER for auth'''
# Enable the checkbox


=== Step 2: Configure Default User (Optional) ===
<syntaxhighlight lang="apache">
<Location /voipmonitor>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
</Location>
</syntaxhighlight>


If you want users who don't have a matching GUI account to still be able to log in:
Example for '''Apache with Kerberos''':


# Navigate to '''GUI > Users & Audit > Users'''
<syntaxhighlight lang="apache">
# Select or create a user to be the default for REMOTE_USER logins
<Location /voipmonitor>
# Enable the checkbox '''Default Shibboleth/REMOTE_USER account'''
    AuthType Kerberos
    AuthName "VoIPmonitor SSO"
    KrbAuthRealms EXAMPLE.COM
    KrbServiceName HTTP/voipmonitor.example.com@EXAMPLE.COM
    Krb5Keytab /etc/httpd/http.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
</Location>
</syntaxhighlight>


When REMOTE_USER provides a username that doesn't exist in GUI, this default user's permissions will be used.
=== Step 2: Create custom_login.php Script ===


== Usage ==
Create the custom login script at <code>/var/www/html/scripts/custom_login.php</code>:


After Apache authentication completes successfully:
<syntaxhighlight lang="php">
<?php
/**
* REMOTE_USER Authentication for VoIPmonitor
*
* This script is called by VoIPmonitor GUI when custom authentication is enabled.
* It must return a JSON array with user details.
*/


# The VoIPmonitor GUI login page shows a '''Shibboleth/REMOTE_USER''' button (alongside Google and Microsoft buttons if configured)
function custom_login($username, $password) {
# Clicking this button uses the REMOTE_USER value as the login name
    // Get REMOTE_USER from web server
# If the username matches a GUI user, that user's permissions apply
    $remote_user = isset($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'] : null;
# If no match is found, the default REMOTE_USER account is used (if configured)
# Login completes automatically


== Logout ==
    // For SSO, password is not used - user is already authenticated
    if (empty($remote_user)) {
        return array('error' => 'Not authenticated via SSO');
    }


The logout URL is constructed automatically:
    // Extract username (remove domain if present: user@domain.com -> user)
    $clean_username = preg_replace('/@.*$/', '', $remote_user);


# GUI checks for '''Shib-Handler''' HTTP header
    // Map to VoIPmonitor user
# If present: logout URL = Shib-Handler value + '''/Logout'''
    // Option A: Direct mapping (SSO username = VoIPmonitor username)
# If not present: logout URL = HTTP_HOST + '''/Shibboleth.sso/Logout'''
    return array(
        'id'       => crc32($clean_username),  // MUST be unique numeric ID per user
        'username' => $clean_username,
        'name'     => $clean_username,
        'is_admin' => false,                  // Set true for admin users
        'id_group' => 1,                      // Group ID for permissions
    );


=== Custom Logout URL ===
    // Option B: LDAP lookup for additional attributes
    // $ldap_info = ldap_lookup($remote_user);
    // return array(
    //    'id'      => $ldap_info['uidnumber'],
    //    'username' => $ldap_info['uid'],
    //    'name'    => $ldap_info['cn'],
    //    'is_admin' => in_array('VoIP-Admins', $ldap_info['groups']),
    //    'id_group' => determine_group($ldap_info),
    // );
}
?>
</syntaxhighlight>


For non-Shibboleth modules or custom setups:
{{Warning|1=The <code>id</code> field MUST return a '''unique numeric ID''' for each user. Using the same ID for multiple users causes them to share settings and permissions. Use LDAP <code>uidnumber</code> or <code>crc32()</code> of username.}}


# Navigate to '''GUI > Settings > System Configuration'''
=== Step 3: Enable Custom Login in GUI ===
# Set '''Logout URL for Shibboleth/REMOTE_USER''' to your identity provider's logout endpoint


== Disable Login Window Completely ==
# Navigate to '''Settings''' > '''System Configuration''' > '''Authentication'''
# Set '''Custom login script''' to: <code>/var/www/html/scripts/custom_login.php</code>
# Optionally set '''Don't display local login form''' to '''Yes''' (SSO only)


For environments where REMOTE_USER is the only authentication method:
== User Mapping Options ==


# Navigate to '''GUI > Settings > System Configuration'''
{| class="wikitable"
# Enable '''Disable login window completely'''
! Method !! Description !! When to Use
|-
| '''Direct''' || SSO username maps directly to VoIPmonitor username || Simple setups, usernames match
|-
| '''LDAP Lookup''' || Query LDAP/AD for user attributes || Need groups, full name, or permissions from directory
|-
| '''Database Lookup''' || Query external database for mapping || Custom user management systems
|-
| '''Hybrid''' || Check VoIPmonitor DB first, then create from SSO || Auto-provisioning new users
|}


With this option:
=== Auto-Provisioning Users ===
* No login dialog is shown
* REMOTE_USER authentication happens automatically
* Users are logged in immediately based on REMOTE_USER value


=== User Language Setting ===
To automatically create GUI users on first SSO login, extend <code>custom_login.php</code> to check if user exists and insert if not:


When the login window is disabled, users cannot select their language at login. Instead:
<syntaxhighlight lang="php">
function custom_login($username, $password) {
    $remote_user = $_SERVER['REMOTE_USER'] ?? null;
    if (!$remote_user) return array('error' => 'SSO required');


# Navigate to '''GUI > Users & Audit > Users'''
    $clean_username = preg_replace('/@.*$/', '', $remote_user);
# Select the user
# Set their preferred language in user settings


== Integration with Custom Login Script ==
    // Check if user exists in VoIPmonitor
    $mysqli = new mysqli('localhost', 'voipmonitor', 'password', 'voipmonitor');
    $stmt = $mysqli->prepare("SELECT id, id_group FROM users WHERE username = ?");
    $stmt->bind_param('s', $clean_username);
    $stmt->execute();
    $result = $stmt->get_result();


REMOTE_USER authentication is compatible with [[WEB_API#Custom_Login|custom login scripts]]:
    if ($row = $result->fetch_assoc()) {
        // Existing user
        return array(
            'id'      => (int)$row['id'],
            'username' => $clean_username,
            'id_group' => (int)$row['id_group'],
        );
    } else {
        // Create new user (auto-provision)
        $stmt = $mysqli->prepare("INSERT INTO users (username, id_group) VALUES (?, 2)");
        $stmt->bind_param('s', $clean_username);
        $stmt->execute();


* The REMOTE_USER value is passed to the custom script
        return array(
* The script must return the standard structure as documented in [[WEB_API#Custom_Login]]
            'id'       => (int)$mysqli->insert_id,
* '''Note:''' Internal GUI users take precedence over custom login users
            'username' => $clean_username,
            'id_group' => 2,  // Default group for new users
        );
    }
}
</syntaxhighlight>


== Troubleshooting ==
== Troubleshooting ==


{| class="wikitable"
{| class="wikitable"
! Problem !! Cause !! Solution
|-
|-
! Problem !! Solution
| SSO works but "Access denied" || <code>custom_login.php</code> not configured || Enable custom login in GUI Settings
|-
|-
| REMOTE_USER button not visible || Verify Apache module is setting REMOTE_USER (check with phpinfo() or similar)
| All users share settings || Same <code>id</code> returned for all users || Return unique numeric ID per user (use <code>uidnumber</code> or <code>crc32(username)</code>)
|-
|-
| Login fails with "User not found" || Create matching user in GUI OR configure default REMOTE_USER account
| REMOTE_USER is empty || Web server auth not reaching PHP || Check <code>CGIPassAuth On</code> (Apache 2.4.13+) or proxy headers
|-
|-
| Logout doesn't work || Configure custom logout URL in System Configuration
| SSO bypass possible || Local login form still visible || Set "Don't display local login form" = Yes
|-
|-
| Wrong permissions applied || Check that the correct user is matched or verify default account permissions
| Headers not passed through proxy || Reverse proxy strips auth headers || Configure <code>RequestHeader set REMOTE_USER %{REMOTE_USER}e</code>
|}
|}
=== Debugging ===
Create a test script to verify REMOTE_USER is being passed:
<syntaxhighlight lang="php">
<?php
// /var/www/html/test_sso.php - DELETE after testing!
echo "REMOTE_USER: " . ($_SERVER['REMOTE_USER'] ?? 'NOT SET') . "\n";
echo "All auth headers:\n";
foreach ($_SERVER as $key => $value) {
    if (strpos($key, 'AUTH') !== false || strpos($key, 'REMOTE') !== false) {
        echo "  $key: $value\n";
    }
}
?>
</syntaxhighlight>
{{Note|1=For Nginx with PHP-FPM, pass REMOTE_USER via: <code>fastcgi_param REMOTE_USER $remote_user;</code>}}


== See Also ==
== See Also ==


* [[Authentication]] - Overview of all authentication methods
* [[Google_Sign_in_usage|Google Sign-In (OAuth)]]
* [[Google_Sign_in_usage]] - Built-in Google OAuth 2.0 integration
* [[Microsoft_Sign_in_usage|Microsoft Sign-In (Entra/Azure AD)]]
* [[Microsoft_Sign_in_usage]] - Built-in Microsoft Entra ID integration
* [[User_Management|User Management and Permissions]]
* [[WEB_API#Custom_Login]] - LDAP and custom authentication scripts
* [[WEB_API#Custom_Login|Custom Login API Reference]]
* [[2FA]] - Two-factor authentication


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' VoIPmonitor GUI supports REMOTE_USER authentication for integration with external web server authentication modules. Apache handles all authentication (Shibboleth, OpenID Connect, SAML, Kerberos) and passes the authenticated username via REMOTE_USER variable. GUI reads this variable and maps it to internal users for permissions. A default user can be configured for unmatched usernames. The login window can be disabled completely for automatic REMOTE_USER authentication.
'''Summary:''' REMOTE_USER authentication enables VoIPmonitor GUI integration with enterprise SSO systems (Shibboleth, Kerberos, CAS) via web server authentication modules. Configuration requires: (1) Web server setup (Apache/Nginx) with auth module to set REMOTE_USER, (2) custom_login.php script that reads $_SERVER['REMOTE_USER'] and returns user mapping with UNIQUE numeric ID, (3) Enable custom login in GUI Settings. Critical requirement: each user MUST have unique numeric 'id' field to prevent shared settings. Supports auto-provisioning via database insertion on first login. For reverse proxies, configure header passthrough (CGIPassAuth On, RequestHeader set). Debugging: check $_SERVER['REMOTE_USER'] value with test script.


'''Keywords:''' REMOTE_USER, Shibboleth, SSO, single sign-on, Apache authentication, mod_shib, mod_auth_openidc, mod_auth_mellon, SAML, OpenID Connect, OIDC, Kerberos, external authentication, web server authentication, enterprise SSO, federation, identity provider
'''Keywords:''' REMOTE_USER, SSO, Single Sign-On, Shibboleth, Kerberos, CAS, SAML, custom_login.php, Apache mod_shib, mod_auth_kerb, enterprise authentication, auto-provision, LDAP, uidnumber, unique user ID, CGIPassAuth, reverse proxy authentication, PHP-FPM REMOTE_USER


'''Key Questions:'''
'''Key Questions:'''
* How do I integrate VoIPmonitor with Shibboleth?
* How do I configure VoIPmonitor for Shibboleth SSO?
* How do I use REMOTE_USER authentication with VoIPmonitor?
* How do I integrate VoIPmonitor with Kerberos authentication?
* Can I use OpenID Connect with VoIPmonitor?
* What is custom_login.php and how do I use it for SSO?
* How do I configure SAML authentication for VoIPmonitor?
* Why do all my SSO users share the same settings?
* What Apache modules work with VoIPmonitor for SSO?
* How do I auto-provision VoIPmonitor users from SSO?
* How do I disable the login window and use automatic authentication?
* Why is REMOTE_USER empty in my custom_login.php script?
* What is the third login button in VoIPmonitor (not Google or Microsoft)?
* How do I pass REMOTE_USER through Nginx reverse proxy?
 
* How do I disable local login when using SSO?
[[Category:Authentication]]
* What unique ID should I return for each SSO user?
[[Category:Configuration]]
* How do I debug REMOTE_USER authentication issues?
[[Category:GUI]]

Latest revision as of 16:52, 8 January 2026


REMOTE_USER Authentication

REMOTE_USER authentication allows VoIPmonitor GUI to integrate with external Single Sign-On (SSO) systems like Shibboleth, CAS, Kerberos, or any web server authentication module that sets the REMOTE_USER environment variable.

How It Works

  1. User accesses VoIPmonitor GUI
  2. Web server intercepts and redirects to Identity Provider
  3. User authenticates with IdP (Shibboleth, AD, LDAP, etc.)
  4. Web server sets $_SERVER['REMOTE_USER'] with authenticated username
  5. VoIPmonitor's custom_login.php script reads this value and maps to GUI user

Configuration

Step 1: Configure Web Server Authentication

Configure your web server to protect the VoIPmonitor directory and set REMOTE_USER. Example for Apache with Shibboleth: 

<Location /voipmonitor>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
</Location>

Example for Apache with Kerberos: 

<Location /voipmonitor>
    AuthType Kerberos
    AuthName "VoIPmonitor SSO"
    KrbAuthRealms EXAMPLE.COM
    KrbServiceName HTTP/voipmonitor.example.com@EXAMPLE.COM
    Krb5Keytab /etc/httpd/http.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
</Location>

Step 2: Create custom_login.php Script

Create the custom login script at /var/www/html/scripts/custom_login.php: 

<?php
/**
 * REMOTE_USER Authentication for VoIPmonitor
 *
 * This script is called by VoIPmonitor GUI when custom authentication is enabled.
 * It must return a JSON array with user details.
 */

function custom_login($username, $password) {
    // Get REMOTE_USER from web server
    $remote_user = isset($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'] : null;

    // For SSO, password is not used - user is already authenticated
    if (empty($remote_user)) {
        return array('error' => 'Not authenticated via SSO');
    }

    // Extract username (remove domain if present: user@domain.com -> user)
    $clean_username = preg_replace('/@.*$/', '', $remote_user);

    // Map to VoIPmonitor user
    // Option A: Direct mapping (SSO username = VoIPmonitor username)
    return array(
        'id'       => crc32($clean_username),  // MUST be unique numeric ID per user
        'username' => $clean_username,
        'name'     => $clean_username,
        'is_admin' => false,                   // Set true for admin users
        'id_group' => 1,                       // Group ID for permissions
    );

    // Option B: LDAP lookup for additional attributes
    // $ldap_info = ldap_lookup($remote_user);
    // return array(
    //     'id'       => $ldap_info['uidnumber'],
    //     'username' => $ldap_info['uid'],
    //     'name'     => $ldap_info['cn'],
    //     'is_admin' => in_array('VoIP-Admins', $ldap_info['groups']),
    //     'id_group' => determine_group($ldap_info),
    // );
}
?>

⚠️ Warning: The id field MUST return a unique numeric ID for each user. Using the same ID for multiple users causes them to share settings and permissions. Use LDAP uidnumber or crc32() of username.

Step 3: Enable Custom Login in GUI

  1. Navigate to Settings > System Configuration > Authentication
  2. Set Custom login script to: /var/www/html/scripts/custom_login.php
  3. Optionally set Don't display local login form to Yes (SSO only)

User Mapping Options

Method Description When to Use
Direct SSO username maps directly to VoIPmonitor username Simple setups, usernames match
LDAP Lookup Query LDAP/AD for user attributes Need groups, full name, or permissions from directory
Database Lookup Query external database for mapping Custom user management systems
Hybrid Check VoIPmonitor DB first, then create from SSO Auto-provisioning new users

Auto-Provisioning Users

To automatically create GUI users on first SSO login, extend custom_login.php to check if user exists and insert if not: 

function custom_login($username, $password) {
    $remote_user = $_SERVER['REMOTE_USER'] ?? null;
    if (!$remote_user) return array('error' => 'SSO required');

    $clean_username = preg_replace('/@.*$/', '', $remote_user);

    // Check if user exists in VoIPmonitor
    $mysqli = new mysqli('localhost', 'voipmonitor', 'password', 'voipmonitor');
    $stmt = $mysqli->prepare("SELECT id, id_group FROM users WHERE username = ?");
    $stmt->bind_param('s', $clean_username);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($row = $result->fetch_assoc()) {
        // Existing user
        return array(
            'id'       => (int)$row['id'],
            'username' => $clean_username,
            'id_group' => (int)$row['id_group'],
        );
    } else {
        // Create new user (auto-provision)
        $stmt = $mysqli->prepare("INSERT INTO users (username, id_group) VALUES (?, 2)");
        $stmt->bind_param('s', $clean_username);
        $stmt->execute();

        return array(
            'id'       => (int)$mysqli->insert_id,
            'username' => $clean_username,
            'id_group' => 2,  // Default group for new users
        );
    }
}

Troubleshooting

Problem Cause Solution
SSO works but "Access denied" custom_login.php not configured Enable custom login in GUI Settings
All users share settings Same id returned for all users Return unique numeric ID per user (use uidnumber or crc32(username))
REMOTE_USER is empty Web server auth not reaching PHP Check CGIPassAuth On (Apache 2.4.13+) or proxy headers
SSO bypass possible Local login form still visible Set "Don't display local login form" = Yes
Headers not passed through proxy Reverse proxy strips auth headers Configure RequestHeader set REMOTE_USER %{REMOTE_USER}e

Debugging

Create a test script to verify REMOTE_USER is being passed: 

<?php
// /var/www/html/test_sso.php - DELETE after testing!
echo "REMOTE_USER: " . ($_SERVER['REMOTE_USER'] ?? 'NOT SET') . "\n";
echo "All auth headers:\n";
foreach ($_SERVER as $key => $value) {
    if (strpos($key, 'AUTH') !== false || strpos($key, 'REMOTE') !== false) {
        echo "  $key: $value\n";
    }
}
?>

ℹ️ Note: For Nginx with PHP-FPM, pass REMOTE_USER via: fastcgi_param REMOTE_USER $remote_user;

See Also

AI Summary for RAG

Summary: REMOTE_USER authentication enables VoIPmonitor GUI integration with enterprise SSO systems (Shibboleth, Kerberos, CAS) via web server authentication modules. Configuration requires: (1) Web server setup (Apache/Nginx) with auth module to set REMOTE_USER, (2) custom_login.php script that reads $_SERVER['REMOTE_USER'] and returns user mapping with UNIQUE numeric ID, (3) Enable custom login in GUI Settings. Critical requirement: each user MUST have unique numeric 'id' field to prevent shared settings. Supports auto-provisioning via database insertion on first login. For reverse proxies, configure header passthrough (CGIPassAuth On, RequestHeader set). Debugging: check $_SERVER['REMOTE_USER'] value with test script.

Keywords: REMOTE_USER, SSO, Single Sign-On, Shibboleth, Kerberos, CAS, SAML, custom_login.php, Apache mod_shib, mod_auth_kerb, enterprise authentication, auto-provision, LDAP, uidnumber, unique user ID, CGIPassAuth, reverse proxy authentication, PHP-FPM REMOTE_USER

Key Questions:

  • How do I configure VoIPmonitor for Shibboleth SSO?
  • How do I integrate VoIPmonitor with Kerberos authentication?
  • What is custom_login.php and how do I use it for SSO?
  • Why do all my SSO users share the same settings?
  • How do I auto-provision VoIPmonitor users from SSO?
  • Why is REMOTE_USER empty in my custom_login.php script?
  • How do I pass REMOTE_USER through Nginx reverse proxy?
  • How do I disable local login when using SSO?
  • What unique ID should I return for each SSO user?
  • How do I debug REMOTE_USER authentication issues?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=REMOTE_USER_Authentication&oldid=10207"