Hi there, we are having an issue using header based external authentication using shibboleth in Alfresco 5.2. User passwords are being corrupted and cannot login even after we change the password. After disabling external authentication in the authentication chain everything starts to work again. I have included the following setup for the files we are using in alfresco, apache and shibboleth:
External authentication in the default installation of Alfresco is implemented only using HTTP Header federation.
Looking at your Shibboleth configuration I see only SAML2 and XML that are both not supported by Alfresco. SAML2 is supported only if you install the dedicated plugin or if you use the Alfresco Identity Server (Keycloak).
Your apache conf seems wrong:
RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off
it should be:
RequestHeader unset X-Alfresco-Remote-User
The documentation you link to mentions, that you have to install this separatly. I guess that's what @openpj was refering to as the "dedicated plugin" which seems to be available to paying customers only.
My understanding would be that the prefered way for SAML SSO would be to use the Identity Services (Keycloak) as the glue between ACS/APS and Shibboleth. But it's basically a guess, so do your own research.