We have an older galaxy installation (uses universe_wsgi.ini config file), that's configured for external user authentication, provided by our Apache proxy setup which uses Shibboleth to our campus authentication system. This works just fine.

I'm setting up a new galaxy installation, the configuration files are now different, i.e. galaxy.ini, etc., and am having trouble getting the same authentication mechanism to work. I have the same Apache proxy configuration that I do on the old galaxy, and I've set "use_remote_user = True" in galaxy.ini. When I go to the new galaxy URL, it correctly goes to our Shibbleth authentication screen, but upon returning to galaxy after successful authentication, I get an error "The proxy server received an invalid response from an upstream server."

I have verified that Shibboleth is returning the same information to both the old galaxy server and the new galaxy server. I believe galaxy is looking for the REMOTE_USER value, which is indeed being provided. In my case it provides:
(REMOTE_USER)   mwaldron
(HTTP_REMOTE_USER)

Am I missing something in the galaxy configuration?