[Shib-Users] Passing attribute to IIS

40 views
Skip to first unread message

Hamparian,Don

unread,
Nov 12, 2009, 12:24:08 PM11/12/09
to shibbole...@internet2.edu

I’m trying to get a 2.1 SP to pass a ‘uid’ parameter to IIS.  

 

IIS doesn’t see a parameter. It must be something simple I’m not seeing.

 

Example:

 

2009-11-12 17:02:18 W3SVC1 206.107.43.78 POST /Shibboleth.sso/SAML/POST - 443 - 132.174.138.197 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 200 0 0

2009-11-12 17:02:18 W3SVC1 206.107.43.78 GET /illiad/illiad.dll - 443 - 132.174.138.197 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

 

Transaction log:

2009-11-12 11:02:18 INFO Shibboleth-TRANSACTION [1]: New session (ID: _99cc06b25d479698930f92d2a67129cf) with (applicationId: default) for principal from (IdP: urn:mace:incommon:northwestern.edu) at (ClientAddress: 132.174.138.197) with (NameIdentifier: NYDUL7ONFB5SI55WELTYZ2NMQ2IWZRYI5YJNP32SYKZX4JFACCLC3U7OSDMHSUHGS4JC3HVK3ONGG3U2QVULD6PEQBSLI6SNHWYU5T63T4V23IO2BEWA) using (Protocol: urn:oasis:names:tc:SAML:1.1:protocol) from (AssertionID: _1165f7b35ecd7924a28add2f18f623ad)

2009-11-12 11:02:18 INFO Shibboleth-TRANSACTION [1]: Cached the following attributes with session (ID: _99cc06b25d479698930f92d2a67129cf) for (applicationId: default) {

2009-11-12 11:02:18 INFO Shibboleth-TRANSACTION [1]:               uid (1 values)

2009-11-12 11:02:18 INFO Shibboleth-TRANSACTION [1]: }

Shibd.log

 

1258045338 DEBUG XMLTooling.StorageService [1]: inserted record (_e059b2992def27fdd7bd344a3e81e912) in context (MessageFlow)

1258045338 DEBUG Shibboleth.AttributeDecoder.String [1]: decoding SimpleAttribute (uid) from SAML 1 Attribute (urn:mace:dir:attribute-def:uid) with 1 value(s)

1258045338 DEBUG Shibboleth.AttributeFilter [1]: filtering 1 attribute(s) from (urn:mace:incommon:northwestern.edu)

1258045338 DEBUG Shibboleth.AttributeFilter [1]: applying filtering rule(s) for attribute (uid) from (urn:mace:incommon:northwestern.edu)

1258045338 DEBUG Shibboleth.SessionCache [1]: creating new session

1258045338 DEBUG XMLTooling.XMLObject [1]: starting to marshal saml:NameID

1258045338 DEBUG XMLTooling.XMLObject [1]: creating root element to marshall

1258045338 DEBUG XMLTooling.XMLObject [1]: marshalling namespace attributes for XMLObject

1258045338 DEBUG XMLTooling.XMLObject [1]: marshalling text and child elements for XMLObject

1258045338 DEBUG XMLTooling.XMLObject [1]: caching DOM for XMLObject (document is bound)

1258045338 DEBUG Shibboleth.SessionCache [1]: storing new session...

1258045338 DEBUG XMLTooling.StorageService [1]: inserted record (session) in context (_99cc06b25d479698930f92d2a67129cf)

 

 

Native.log

 

1258045338 DEBUG Shibboleth.SessionCache [1812] isapi_shib: unmarshalled attribute (ID: uid) with 1 value

 

Don Hamparian

Manager OCLC Grid Portfolio

OCLC

mailto:hamp...@oclc.org

614.764.6017 (voice)

614.975.5750 (mobile)

IM, IP Phone (Skype) donhamp2

ICQ: 412-913-446

http://worldcat.org/devnet

 

Peter Schober

unread,
Nov 12, 2009, 12:40:08 PM11/12/09
to shibbole...@internet2.edu
* Hamparian,Don <hamp...@oclc.org> [2009-11-12 18:25]:

> I'm trying to get a 2.1 SP to pass a 'uid' parameter to IIS.
>
> IIS doesn't see a parameter. It must be something simple I'm not seeing.

It's from the Shib2 wiki but did you check out
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess

Since the attribute is there in the transaction.log I would expect it
to depend on the way you check for the attribute (which you fail to
mention),
-peter

Hamparian,Don

unread,
Nov 12, 2009, 6:43:20 PM11/12/09
to shibbole...@internet2.edu
Thanks, silly mistake - didn't have it as the attribute specified by
REMOTE_USER in the SP metadata.

Scott Cantor

unread,
Nov 12, 2009, 8:34:20 PM11/12/09
to shibbole...@internet2.edu
Hamparian,Don wrote on 2009-11-12:
> Thanks, silly mistake - didn't have it as the attribute specified by
> REMOTE_USER in the SP metadata.

IIS doesn't allow use of REMOTE_USER. The various warnings in the
documentation should make it clear that using the hacked version of it is a
bad idea and is only there for legacy reasons that have more to do with my
university than anything else. Whatever header(s) you're mapping that from
is what you should access.

-- Scott


Hamparian,Don

unread,
Nov 13, 2009, 10:36:22 AM11/13/09
to shibbole...@internet2.edu
Thanks, its working so now I need to make sure I understand why .. :-)

Scott Cantor

unread,
Nov 13, 2009, 12:32:11 PM11/13/09
to shibbole...@internet2.edu
Hamparian,Don wrote on 2009-11-13:
> Thanks, its working so now I need to make sure I understand why .. :-)

You're using a header called remote-user internally. No software that needs
REMOTE_USER for real will allow that. A few accidentally support it (Cold
Fusion used to). There's little point in using it now.

-- Scott


Reply all
Reply to author
Forward
0 new messages