Skip to content

SSO using Remote User

Starting from 7.0.0, Seafile can integrate with various Single Sign On systems via a proxy server. Examples include Apache as Shibboleth proxy, or LemonLdap as a proxy to LDAP servers, or Apache as Kerberos proxy. Seafile can retrieve user information from special request headers (HTTP_REMOTE_USER, HTTP_X_AUTH_USER, etc.) set by the proxy servers.

After the proxy server (Apache/Nginx) is successfully authenticated, the user information is set to the request header, and Seafile creates and logs in the user based on this information.

Note: Make sure that the proxy server has a corresponding security mechanism to protect against forgery request header attacks.

Please add the following settings to conf/ to enable this feature.


# Optional, HTTP header, which is configured in your web server conf file,
# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.

# Optional, when the value of HTTP_REMOTE_USER is not a valid email address,
# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
# and this domain, e.g.

# Optional, whether to create new user in Seafile system, default value is True.
# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
# The admin has to first import the users from external systems like LDAP.

# Optional, whether to activate new user in Seafile system, default value is True.
# If this setting is disabled, user will be unable to login by default.
# the administrator needs to manually activate this user.

# Optional, map user attribute in HTTP header and Seafile's user attribute.
    'HTTP_DISPLAYNAME': 'name',
    'HTTP_MAIL': 'contact_email',

    # for user info
    "HTTP_GIVENNAME": 'givenname',
    "HTTP_SN": 'surname',
    "HTTP_ORGANIZATION": 'institution',

    # for user role
    'HTTP_Shibboleth-affiliation': 'affiliation',

# Map affiliation to user role. Though the config name is SHIBBOLETH_AFFILIATION_ROLE_MAP,
# it is not restricted to Shibboleth
    '': 'staff',
    '': 'staff',
    '': 'student',
    '': 'guest',
    'patterns': (
        ('*', 'guest1'),
        ('*@*.de', 'guest2'),
        ('*', 'guest'),

Then restart Seafile.