Shibboleth does pass attribute to server variable in PHP

I am building a SAML based federated authentication mechanism in which the IdP is ADFS 2.0 and the SP is Shibboleth running on Linux. I am able to do the following:

  1. Attempt to access a protected page, which redirects me to the IdP login page.
  2. Log in via the IdP login page and get returned to the protected page.
  3. Browse to spserver.internal/Shibboleth.sso/Session and see the returned attributes, including eppn.

I am, however, unable to extract the eppn attribute in the form of the REMOTE_USER header in PHP.

I have disabled attribute-policy.xml (commented it out in shibboleth2.xml).

I am missing something trivial, I suspect for the world of me I don’t know what. Either PHP is not picking up the server variables set by Shibboleth or Shibboleth is never setting them. Any ideas?

Output from spserver.internal/Shibboleth.sso/Session

Session Expiration (barring inactivity): 479 minute(s)
Client Address: a.b.c.d
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider:
Authentication Time: 2014-10-28T11:55:23.947Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

eppn: [email protected]

Relevant line from shibboleth2.xml:

    <ApplicationDefaults entityID="https://spURL/shibboleth"
                     REMOTE_USER="eppn persistent-id targeted-id">

Relevant line from attribute-map.xml

<Attribute name="urn:oid:" id="eppn">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>

Relevant output from shibd.log

2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertion
2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60)
2014-10-28 11:55:21 DEBUG XMLTooling.StorageService [2]: inserted record (_06157709-48ab-4701-90b2-b3ecea5df51f) in context (MessageFlow) with expiration (1414497564)
2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: validating signature profile
2014-10-28 11:55:21 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: attempting to validate signature with the peer's credentials
2014-10-28 11:55:21 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: signature validated with credential
2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: signature verified against message issuer
2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [2]: assertion satisfied bearer confirmation requirements
2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: SSO profile processing completed successfully
2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: extracting pushed attributes...
2014-10-28 11:55:21 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: samlp:Response
2014-10-28 11:55:21 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: {urn:oasis:names:tc:SAML:2.0:assertion}AuthnStatement
2014-10-28 11:55:21 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name:, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2014-10-28 11:55:21 DEBUG Shibboleth.AttributeDecoder.Scoped [2]: decoding ScopedAttribute (eppn) from SAML 2 Attribute (urn:oid: with 1 value(s)
2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: resolving attributes...
2014-10-28 11:55:21 DEBUG Shibboleth.AttributeResolver.Query [2]: found AttributeStatement in input to new session, skipping query
2014-10-28 11:55:21 DEBUG Shibboleth.SessionCache [2]: creating new session
2014-10-28 11:55:21 DEBUG Shibboleth.SessionCache [2]: storing new session..

Server Fault Asked by pete.k on November 22, 2021

1 Answers

One Answer

I think that the answer that @pete k provides, is correct - although I didn't understand it at first. For others with limited Apache knowledge (like me) trying to configure Shibboleth, Shibboleth doesn't automatically make its server variables available to every page in your application, unless you explicitly tell it to. You can do this by putting the following sort of code either in a .htaccess file, or in a file in /etc/httpd/conf.d/

<Location /location-you-want-to-access-server-variables>
   AuthType shibboleth
    # ShibRequestSetting requireSession 1
   Require shibboleth

If you uncomment the middle directive, pages in the specified location will be forced to authenticate via shibboleth. If you leave it commented, authorisation won't be forced, but you will have access to your shibboleth server variables. In PHP, for example, they would be found in $_SERVER - although of course they won't be set until you do authenticate via Shibboleth.

Answered by charlesdeb on November 22, 2021

Add your own answers!

Related Questions

Increase download speed of ftp server

2  Asked on February 13, 2021 by 18bytes


MaxMind GeoIP CSV to .dat

1  Asked on February 12, 2021 by yax


ConvertToHTML converting wrong

1  Asked on February 9, 2021 by jonathan-davies


Shibboleth in sub-path URL

1  Asked on February 8, 2021 by j-b


How to resize docker volume after creation?

1  Asked on February 8, 2021 by gkman


Access Denied DHCP Tool

1  Asked on February 8, 2021 by drew-chapin


Custom file/folder permissions with S3FS?

1  Asked on February 8, 2021 by t-brian-jones


AWS RDS – Bottleneck

0  Asked on February 6, 2021 by tyralcori


Ask a Question

Get help from others!

© 2021 All rights reserved.