HTTP_Authentication_Variable - one only?

Matrix Version: 5.4.1.2

Am I correct in thinking that with the HTTP_Authentication_Variable -

If “Accept HTTP Authentication?” is set to “Yes”, Matrix will attempt to automatically login a user with a username matching the server variable in “HTTP Authentication Variable”.
This allows Matrix to accept users through certain types of single sign-on systems, but is a potential security risk as it will assume that the user has already been authenticated.

it’s limited to one variable only? E.g. if you have a server environment where the authenticated username might be in more than one server variable, you’ll need to do something to set a single server variable for Matrix to pickup on?

You would only need to configure this setting if you’re managing authentication (not credential storage, but actual authentication) totally outside of Matrix - e.g if you configure a SSO proxy in front of Matrix it can pass back a username and Matrix simply trusts that that request belongs to that user. The same can be done within the Apache or Openresty instance Matrix runs in (e.g mod_auth_saml was used before Matrix had native SAML support).

These days almost no one needs to change these settings - what are you actually trying to solve?

It’s fairly easy to leave the Matrix instance wide open if Matrix is configured to trust a username in a header and the infrastructure around Matrix (network and proxies) don’t prevent that header from getting injected via all external paths.