[Shib-Users] Problem to access attributes after integrate Shibboleth SP 2.2 with ADFS

333 views
Skip to first unread message

lliu

unread,
Aug 22, 2009, 10:15:23 PM8/22/09
to shibbole...@internet2.edu

Hi, I'm new to Shibboleth, due to time pressure and failures to get obvious
answers via searching, please forgive me if this is a basic question or
duplicate one. Appreciate for lightening!

Environment:
SP: Shibboleth SP 2.2
IDP: ADFS (SAML1.1)
Application: PHP

What I need: After shibboleth building a token successfully, I need to get
the value of an attribute: emailAddress. But it's not cached in the Session.
I need to know what's wrong, how to store it in the session, and how do I
access this attribute. (I'm assuming I should access like: $email =
$_REQUEST['emailAddress'];)

Known points:
1. For now, there's no errors in shibd.log or transactions.log in the whole
process.
2. I don't use AttributeFilter.
3. I tried to print out $_SERVER, $_REQUEST, $_SESSION, $_COOKIE, but not
able to see anything about emailAddress.

Shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
<OutOfProcess logger="shibd.logger">
<Extensions>
<Library path="adfs.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess logger="native.logger">
<Extensions>
<Library path="adfs-lite.so" fatal="true"/>
</Extensions>
</InProcess>
<UnixListener address="shibd.sock"/>
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="idp-test.app.com">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id="default" policyId="default"
entityID="https://idp-test.app.com/shibboleth-sp"
homeURL="https://idp-test.app.com/"
REMOTE_USER="NameIdentifier email NameID persistent-id"
signing="false" encryption="false">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="true"

exportLocation="http://idp-test.app.com/Shibboleth.sso/GetAssertion"
exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true"
relayState="cookie" entityID="urn:federation:idp">
<SessionInitiator type="ADFS" defaultACSIndex="10"
template="bindingTemplate.html"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"

Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:AssertionConsumerService Location="/ADFS" index="10"
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<Handler type="Session" Location="/Session"
showAttributeValues="ture"/>
</Sessions>
<Errors session="sessionError.html"
metadata="metadataError.html"
access="accessError.html"
ssl="sslError.html"
localLogout="localLogout.html"
globalLogout="globalLogout.html"
supportContact="ll...@hgsamerica.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" file="idp-metadata.xml"/>
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
</TrustEngine>
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<!-- AttributeFilter type="XML" path="attribute-policy.xml"/ -->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicies>
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience">

<saml:Audience>https://idp-test.app.com/shibboleth-sp</saml:Audience>
</PolicyRule>
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>

attribute-map.xml:
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- WS-Fed attributes -->
<Attribute nameFormat="http://schemas.xmlsoap.org/claims"
name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="email"/>
</Attributes>

assertion file received:
<wst:RequestSecurityTokenResponse
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestedSecurityToken>
<saml:Assertion AssertionID="_f2c62902-9f47-41d9-b105-0609b0097f3e"
IssueInstant="2009-08-19T15:31:46Z" Issuer="urn:federation:idp"
MajorVersion="1" MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-08-19T15:26:46Z"
NotOnOrAfter="2009-08-19T16:31:46Z">
<saml:AudienceRestrictionCondition>

<saml:Audience>https://idp-test.app.com/shibboleth-sp</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:Advice>
<adfs:CookieInfoHash
xmlns:adfs="urn:microsoft:federation">Y9tp63CT8arjQF4EpjsHFEN+tEE=</adfs:CookieInfoHash>
</saml:Advice>
<saml:AuthenticationStatement
AuthenticationInstant="2009-08-19T15:31:46Z"
AuthenticationMethod="urn:federation:authentication:windows">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">John....@idp.com</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_f2c62902-9f47-41d9-b105-0609b0097f3e">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<DigestValue>HvDWZXqG0sv1vtAk+htETsxTUZQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://idp-test.app.com/shibboleth-sp</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>

Shibd.log:
2009-08-22 07:52:35 INFO Shibboleth.Config : Library versions: Xerces-C
3.0.1, XML-Security-C 1.5.0, XMLTooling-C 1.2.0, OpenSAML-C 2.2.0,
Shibboleth 1.2.0
2009-08-22 07:52:35 INFO XMLTooling.XMLToolingConfig : loading extension:
adfs.so
2009-08-22 07:52:35 INFO XMLTooling.XMLToolingConfig : loaded extension:
/usr/lib/shibboleth/adfs.so
2009-08-22 07:52:35 INFO Shibboleth.Config : building ListenerService of
type UnixListener...
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (set::RelayState)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (get::RelayState)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (set::PostData)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (get::PostData)
2009-08-22 07:52:35 INFO Shibboleth.Config : building StorageService (mem)
of type Memory...
2009-08-22 07:52:35 INFO Shibboleth.Config : building ReplayCache on top of
StorageService (mem)...
2009-08-22 07:52:35 INFO XMLTooling.StorageService : cleanup thread
started...running every 900 seconds
2009-08-22 07:52:35 INFO Shibboleth.Config : building in-memory
ArtifactMap...
2009-08-22 07:52:35 INFO Shibboleth.Config : building SessionCache of type
StorageService...
2009-08-22 07:52:35 INFO Shibboleth.SessionCache : bound to StorageService
(mem)
2009-08-22 07:52:35 INFO Shibboleth.SessionCache : No StorageServiceLite
specified. Using standard StorageService.
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (find::StorageService::SessionCache)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (remove::StorageService::SessionCache)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (touch::StorageService::SessionCache)
2009-08-22 07:52:35 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Audience
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (run::AssertionLookup)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Login::run::ADFSSI)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/POST-SimpleSign)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/Artifact)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML2/ECP)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML/POST)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SAML/Artifact)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/ADFS)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/ADFS::run::ADFSLO)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/SOAP)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/Redirect)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/POST)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/SLO/Artifact)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/SOAP)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/Redirect)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/POST)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/NIM/Artifact)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Metadata)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default/Status)
2009-08-22 07:52:35 INFO Shibboleth.Application : building MetadataProvider
of type XML...
2009-08-22 07:52:35 INFO OpenSAML.MetadataProvider.XML : loaded XML resource
(/etc/shibboleth/idp-metadata.xml)
2009-08-22 07:52:35 INFO Shibboleth.Application : building TrustEngine of
type Chaining...
2009-08-22 07:52:35 INFO XMLTooling.TrustEngine.Chaining : building
TrustEngine of type ExplicitKey
2009-08-22 07:52:35 INFO Shibboleth.Application : building
AttributeExtractor of type XML...
2009-08-22 07:52:35 INFO Shibboleth.AttributeExtractor.XML : loaded XML
resource (/etc/shibboleth/attribute-map.xml)
2009-08-22 07:52:35 INFO Shibboleth.AttributeExtractor.XML : creating
mapping for Attribute
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
Format/Namespace:http://schemas.xmlsoap.org/claims
2009-08-22 07:52:35 INFO Shibboleth.Application : building
CredentialResolver of type File...
2009-08-22 07:52:35 INFO XMLTooling.SecurityHelper : loading private key
from file (/etc/shibboleth/sp-key.pem)
2009-08-22 07:52:35 INFO XMLTooling.SecurityHelper : loading certificate(s)
from file (/etc/shibboleth/sp-cert.pem)
2009-08-22 07:52:35 INFO Shibboleth.Listener : registered remoted message
endpoint (default::getHeaders::Application)
2009-08-22 07:52:35 INFO Shibboleth.Listener : listener service starting
2009-08-22 10:00:03 DEBUG Shibboleth.Listener [1]: dispatching message
(default::getHeaders::Application)
2009-08-22 10:00:03 DEBUG Shibboleth.Listener [1]: dispatching message
(default/Login::run::ADFSSI)
2009-08-22 10:02:56 DEBUG Shibboleth.Listener [2]: dispatching message
(default::getHeaders::Application)
2009-08-22 10:02:56 DEBUG Shibboleth.Listener [2]: dispatching message
(default/Login::run::ADFSSI)
2009-08-22 10:03:16 DEBUG Shibboleth.Listener [3]: dispatching message
(default/ADFS)
2009-08-22 10:03:16 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [3]:
evaluating message flow policy (replay checking on, expiration 60)
2009-08-22 10:03:16 DEBUG XMLTooling.StorageService [3]: inserted record
(_927cb6ae-c911-4df0-b55a-38eae3571893) in context (MessageFlow)
2009-08-22 10:03:16 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [3]:
validating signature profile
2009-08-22 10:03:16 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [3]:
signature verified against message issuer
2009-08-22 10:03:16 DEBUG Shibboleth.SessionCache [3]: creating new session
2009-08-22 10:03:16 DEBUG Shibboleth.SessionCache [3]: storing new
session...
2009-08-22 10:03:16 DEBUG XMLTooling.StorageService [3]: inserted record
(session) in context (_19bea61ad8832e173764b19f82d0f506)
2009-08-22 10:03:16 DEBUG XMLTooling.StorageService [3]: inserted record
(John....@idp.com) in context (NameID)
2009-08-22 10:03:16 DEBUG XMLTooling.StorageService [3]: inserted record
(_927cb6ae-c911-4df0-b55a-38eae3571893) in context
(_19bea61ad8832e173764b19f82d0f506)
2009-08-22 10:03:16 INFO Shibboleth.SessionCache [3]: new session created:
ID (_19bea61ad8832e173764b19f82d0f506) IdP (urn:federation:idp)
Protocol(http://schemas.xmlsoap.org/ws/2003/07/secext) Address
(xxx.xxx.xxx.xxx)
2009-08-22 10:03:16 DEBUG Shibboleth.Listener [3]: dispatching message
(default::getHeaders::Application)
2009-08-22 10:03:16 DEBUG Shibboleth.Listener [3]: dispatching message
(find::StorageService::SessionCache)
2009-08-22 10:03:16 DEBUG XMLTooling.StorageService [3]: updated expiration
of valid records in context (_19bea61ad8832e173764b19f82d0f506)
2009-08-22 10:07:35 INFO XMLTooling.StorageService : purged 1 expired
record(s) from storage
2009-08-22 11:07:35 INFO XMLTooling.StorageService : purged 2 expired
record(s) from storage
2009-08-22 18:07:33 INFO XMLTooling.StorageService : purged 1 expired
record(s) from storage

Transation.log:
2009-08-22 10:03:16 INFO Shibboleth-TRANSACTION [3]: New session (ID:
_19bea61ad8832e173764b19f82d0f506) with (applicationId: default) for
principal from (IdP: urn:federation:genmills) at (ClientAddress:
xxx.xxx.xxx.xxx) with (NameIdentifier: Ben.A...@genmills.com) using
(Protocol: http://schemas.xmlsoap.org/ws/2003/07/secext) from (AssertionID:
_927cb6ae-c911-4df0-b55a-38eae3571893)

printed HTTP headers:
$_SERVER: array(38) { ["REDIRECT_HTTPS"]=> string(2) "on"
["REDIRECT_Shib-Application-ID"]=> string(7) "default"
["REDIRECT_Shib-Session-ID"]=> string(33)
"_aa48d2671cdfa878d10570fffe392e1c" ["REDIRECT_Shib-Identity-Provider"]=>
string(23) "urn:federation:idp" ["REDIRECT_Shib-Authentication-Instant"]=>
string(20) "2009-08-22T04:45:31Z" ["REDIRECT_Shib-Authentication-Method"]=>
string(39) "urn:oasis:names:tc:SAML:1.0:am:password"
["REDIRECT_Shib-AuthnContext-Class"]=> string(39)
"urn:oasis:names:tc:SAML:1.0:am:password" ["REDIRECT_STATUS"]=> string(3)
"200" ["HTTPS"]=> string(2) "on" ["HTTP_ACCEPT"]=> string(271) "image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, */*" ["HTTP_REFERER"]=> string(252)
"https://fds.idp.com/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3a%2f%2fidp-test.app.com%2fShibboleth.sso%2fADFS&wct=2009-08-22T04%3a45%3a04Z&wtrealm=https%3a%2f%2fidp-test.app.com%2fshibboleth-sp&wctx=cookie%3ac53aa7ec"
["HTTP_ACCEPT_LANGUAGE"]=> string(5) "en-us" ["HTTP_ACCEPT_ENCODING"]=>
string(13) "gzip, deflate" ["HTTP_USER_AGENT"]=> string(197) "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET
CLR 3.0.4506.2152; .NET CLR 3.5.30729)" ["HTTP_HOST"]=> string(26)
"idp-test.app.com" ["HTTP_CONNECTION"]=> string(10) "Keep-Alive"
["HTTP_CACHE_CONTROL"]=> string(8) "no-cache" ["HTTP_COOKIE"]=> string(157)
"_shibsession_64656661756c7468747470733a2f2f67656e6d696c6c732d746573742e696e6e6f2d3336302e636f6d2f73686962626f6c6574682d7370=_aa48d2671cdfa878d10570fffe392e1c"
["PATH"]=> string(29) "/sbin:/usr/sbin:/bin:/usr/bin" ["SERVER_SIGNATURE"]=>
string(0) "" ["SERVER_SOFTWARE"]=> string(6) "Apache" ["SERVER_NAME"]=>
string(26) "idp-test.app.com" ["SERVER_ADDR"]=> string(15) "xxx.xxx.xxx.xxx"
["SERVER_PORT"]=> string(3) "xxx" ["REMOTE_ADDR"]=> string(12)
"71.195.20.43" ["DOCUMENT_ROOT"]=> string(69) "xxx/index.php"
["REMOTE_PORT"]=> string(4) "xxx" ["REDIRECT_URL"]=> string(29)
"/users/login/adapter/idp" ["GATEWAY_INTERFACE"]=> string(7) "CGI/1.1"
["SERVER_PROTOCOL"]=> string(8) "HTTP/1.1" ["REQUEST_METHOD"]=> string(3)
"GET" ["QUERY_STRING"]=> string(0) "" ["REQUEST_URI"]=> string(29)
"/users/login/adapter/idp" ["SCRIPT_NAME"]=> string(10) "/index.php"
["PHP_SELF"]=> string(10) "/index.php" ["REQUEST_TIME"]=> int(1250916332) }
$_REQUEST: array(1) {
["_shibsession_64656661756c7468747470733a2f2f67656e6d696c6c732d746573742e696e6e6f2d3336302e636f6d2f73686962626f6c6574682d7370"]=>
string(33) "_aa48d2671cdfa878d10570fffe392e1c" }
$_SESSION: array(0) { }
$_COOKIE: array(1) {
["_shibsession_64656661756c7468747470733a2f2f67656e6d696c6c732d746573742e696e6e6f2d3336302e636f6d2f73686962626f6c6574682d7370"]=>
string(33) "_aa48d2671cdfa878d10570fffe392e1c" }
--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3497310.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

Nate Klingenstein

unread,
Aug 23, 2009, 12:26:51 AM8/23/09
to shibbole...@internet2.edu
Iliu,

Taking a blind shot in the dark, I think your problem is the nameFormat attribute in attribute-map.xml.  Because it's a SAML 1.1 NameIdentifier, and not a WS-Fed attribute, the attribute-map wouldn't recognize it as matching this mapping.

It should default to a proper nameFormat.  What happens if you remove the nameFormat attribute on the Attribute element, and try again?

Take care,
Nate.

lliu

unread,
Aug 23, 2009, 2:00:31 PM8/23/09
to shibbole...@internet2.edu

Nate, you are Genius! You got it by one shot! Here's what I get in the HTTP
headers:

["REDIRECT_REMOTE_USER"]=> string(18) "Jone....@idp.com"
["REDIRECT_email"]=> string(18) "Jone....@idp.com"

Mine issue is resolved. However, I'd like to mention:


1. Section about: Attribute Handling at:
https://spaces.internet2.edu/display/SHIB2/NativeSPADFS is a little
misleading to me. Newbies like me will not be able to distinguish ADFS
claims and SAML1.1 claims.

2. I can't find any document about: the attribute will be accessible by
$_SERVER["REDIRECT_${attribute_id}"]; If there is, please let me know.

--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3499460.html

Scott Cantor

unread,
Aug 23, 2009, 3:26:10 PM8/23/09
to shibbole...@internet2.edu
lliu wrote on 2009-08-23:
> 1. Section about: Attribute Handling at:
> https://spaces.internet2.edu/display/SHIB2/NativeSPADFS is a little
> misleading to me. Newbies like me will not be able to distinguish ADFS
> claims and SAML1.1 claims.

It's a wiki with no access restrictions. When people expect us to be the
sole gatekeepers for fixing misleading or confusing topics, it guarantees
that they will stay misleading and confusing.

I actually didn't recall that ADFS even supported poopulating the Subject of
an assertion. That's why it doesn't talk about it at the moment.

> 2. I can't find any document about: the attribute will be accessible by
> $_SERVER["REDIRECT_${attribute_id}"]; If there is, please let me know.

I don't know or use PHP, so I'm hardly in a position to document anything
about it. I don't know what that syntax means, but you should always use
environment variables wherever possible, not headers.

There are a lot of things that I think other people should have thoroughly
documented and tested by now, but language specific data access issues are
definitely at the top of my list.

-- Scott


lliu

unread,
Aug 23, 2009, 10:13:12 PM8/23/09
to shibbole...@internet2.edu

Scott Cantor wrote:
>
> It's a wiki with no access restrictions. When people expect us to be the
> sole gatekeepers for fixing misleading or confusing topics, it guarantees
> that they will stay misleading and confusing.
>
> I actually didn't recall that ADFS even supported poopulating the Subject
> of
> an assertion. That's why it doesn't talk about it at the moment.
>

Thanks Scott, I see the change on the wiki, it's definitely helpful!


Scott Cantor wrote:
>
> I don't know or use PHP, so I'm hardly in a position to document anything
> about it. I don't know what that syntax means, but you should always use
> environment variables wherever possible, not headers.
>
> There are a lot of things that I think other people should have thoroughly
> documented and tested by now, but language specific data access issues are
> definitely at the top of my list.
>

I decided to use HTTP headers because I doesn't really understand the
environment variables (not sure how it looks like), though I agree it's more
graceful.

I can only find this link:
https://spaces.internet2.edu/display/SHIB2/NativeSPEnableApplication#NativeSPEnableApplication-UseShibbolethAuthentication%26Attributes,
and it's not enough for me. While reading this: relying instead on
variables provisioned by the web environment, I wish there's a link on it
and an example behind.
--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3501065.html

Scott Cantor

unread,
Aug 23, 2009, 11:20:23 PM8/23/09
to shibbole...@internet2.edu
> I decided to use HTTP headers because I doesn't really understand the
> environment variables (not sure how it looks like), though I agree it's
more
> graceful.

That's not the issue. Environment variables are secure. Headers are secure
only to the extent that bugs and undocumented behavior in tools I don't use
don't break things. Don't use headers unless you're on IIS. That's why it's
not the default on Apache.

> and it's not enough for me. While reading this: relying instead on
> variables provisioned by the web environment, I wish there's a link on it
> and an example behind.

I wish a lot of things were documented, but when people figure things out
and don't come back and document it, that's what we end up with.

-- Scott


lliu

unread,
Aug 31, 2009, 9:11:41 AM8/31/09
to shibbole...@internet2.edu

update:

Now I have 3 attributes in attribute-map.xml:


<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"


id="email"/>
<Attribute nameFormat="http://schemas.xmlsoap.org/claims"

name="FIRST_NAME" id="FIRST_NAME"/>
<Attribute nameFormat="http://schemas.xmlsoap.org/claims"
name="LAST_NAME" id="LAST_NAME"/>


to resolve these 3 attributes in the token received:


<saml:AttributeStatement>

<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">John....@idp.com</saml:NameIdentifier>
</saml:Subject>

<saml:Attribute AttributeName="FIRST_NAME"
AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="LAST_NAME"
AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>Smith</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>


I didn't find a way to access attribute via Environment Variables, there's
no relative values when I printed $_ENV out, which I believe as a correct
way in PHP to show Environment Variables. For the time being, I'm still
using $_SERVER["REDIRECT_email"], $_SERVER["REDIRECT_FIRST_NAME"],
$_SERVER["REDIRECT_LAST_NAME"], before I find another better way.
--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3553356.html

Scott Cantor

unread,
Aug 31, 2009, 9:25:26 AM8/31/09
to shibbole...@internet2.edu
lliu wrote on 2009-08-31:
> I didn't find a way to access attribute via Environment Variables,
> there's no relative values when I printed $_ENV out, which I believe as
> a correct way in PHP to show Environment Variables. For the time being,
> I'm still using $_SERVER["REDIRECT_email"],
> $_SERVER["REDIRECT_FIRST_NAME"], $_SERVER["REDIRECT_LAST_NAME"], before
> I find another better way.

Whatever that is, it isn't caused by the SP. It's from mod_rewrite or
something like that. The headers are in HTTP_attributeid, so that is NOT a
reliable way to get them if you move the application to some other server.

-- Scott

lliu

unread,
Aug 31, 2009, 10:26:20 AM8/31/09
to shibbole...@internet2.edu

Scott Cantor wrote:
>
> Whatever that is, it isn't caused by the SP. It's from mod_rewrite or
> something like that. The headers are in HTTP_attributeid, so that is NOT a
> reliable way to get them if you move the application to some other server.
>
> -- Scott
>

Scott, I get it! :)

In PHP: $_SERVER IS the container of Apache's environment variables; $_ENV
is the container of "the environment under which the PHP parser is running",
which we can consider as OS in most cases. Ref:
http://us.php.net/manual/en/reserved.variables.php

So I'm actually accessing via Environment Variables. I think case is closed,
I will create a wiki page at the place I wished.
--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3553762.html

Scott Cantor

unread,
Aug 31, 2009, 10:59:14 AM8/31/09
to shibbole...@internet2.edu
lliu wrote on 2009-08-31:
> In PHP: $_SERVER IS the container of Apache's environment variables;
> $_ENV is the container of "the environment under which the PHP parser is
> running", which we can consider as OS in most cases. Ref:
> http://us.php.net/manual/en/reserved.variables.php

_SERVER is where you get at the CGI "environment" in generic terms, and that
includes headers. If what you're accessing is prefixed by HTTP, it's a
request header, not an environment variable.

> So I'm actually accessing via Environment Variables.

If you didn't turn ShibUseHeaders on, then you would have to be using
environment variables. If you did, then I doubt you are.

In no case is using REDIRECT_ any kind of portable or supported approach
outside the context of whatever mod_rewrite is doing, which you would have
needed to instruct it to do.

-- Scott


lliu

unread,
Aug 31, 2009, 11:40:27 AM8/31/09
to shibbole...@internet2.edu

Scott Cantor wrote:
>
> If you didn't turn ShibUseHeaders on, then you would have to be using
> environment variables. If you did, then I doubt you are.
>

You are right, I didn't turn ShibUseHeaders on.


Scott Cantor wrote:
>
> In no case is using REDIRECT_ any kind of portable or supported approach
> outside the context of whatever mod_rewrite is doing, which you would have
> needed to instruct it to do.
>

Prefix REDIRECT_ is added by Apache by default:
http://httpd.apache.org/docs/2.0/custom-error.html.
--
View this message in context: http://n2.nabble.com/Problem-to-access-attributes-after-integrate-Shibboleth-SP-2-2-with-ADFS-tp3497310p3554286.html

Scott Cantor

unread,
Aug 31, 2009, 11:52:53 AM8/31/09
to shibbole...@internet2.edu
lliu wrote on 2009-08-31:
> You are right, I didn't turn ShibUseHeaders on.

Ok. Then they should be present directly (_SERVER["FIRST_NAME"]).

> Prefix REDIRECT_ is added by Apache by default:
> http://httpd.apache.org/docs/2.0/custom-error.html.

That doesn't make them correct to use. Those are coming from internal Apache
redirects, and should never be needed in ordinary usage.

-- Scott


Reply all
Reply to author
Forward
0 new messages