[Shib-Users] Shibboleth Header REMOTE_USER

1,632 views
Skip to first unread message

Peddi, Vasuda

unread,
Oct 16, 2009, 5:28:59 AM10/16/09
to shibbole...@internet2.edu

Hello,

 

I installed shibboleth SP(2.2.1) and idp(2.1.3) and done the respective configuration.

 

I am getting the attributes released by IdP at serveice side but not REMOTE_USER(this value is null or empty).

 

How to get REMOTE_USER value ?

 

Regards,

Vasuda Peddi

Systems and Applications Developer, UK Data Archive, University of Essex

Wivenhoe Park, COLCHESTER, ESSEX, CO4 3SQ, UK

Tel: +(44 1206) 872144 Fax: +(44 1206) 872003

www.data-archive.ac.uk

Email: vpe...@essex.ac.uk

*************************************************************************

Legal Disclaimer: Any views expressed by the sender of this message are not necessarily those of the UK Data Archive or the ESDS. This email and any files transmitted with it are confidential and intended solely for the use of the individual(s) or entity to whom they are addressed.

************************************************************************

 

Peter Schober

unread,
Oct 16, 2009, 5:40:34 AM10/16/09
to shibbole...@internet2.edu
* Peddi, Vasuda <vpe...@essex.ac.uk> [2009-10-16 11:32]:

> I am getting the attributes released by IdP at serveice side but not
> REMOTE_USER(this value is null or empty).
>
> How to get REMOTE_USER value ?

If this is on Apache httpd: do you see the authenticated userid in
httpd's access log?
Are you passing REMOTE_USER to some other host (i.e. is the Shib SP a
reverse proxy of some kind)?
-peter

Peddi, Vasuda

unread,
Oct 16, 2009, 6:32:15 AM10/16/09
to shibbole...@internet2.edu
I can see the authenticated userid in httpd log.

Our Model is VOSP(virtual organisation service provider-it contains IDP and SP).

I am able to see the $requestContext.principalName value at VOSP-IDP.

when I observed IDP-process log,

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_6a6bcc91bbf8f9a528dc28b336110ab3|https://dacessdashib.essex.ac.uk/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shib.esds.ac.uk/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3c8773a38d5af8f41de593c5cdf67783|Dfo8Lr9mETHPsKxlbwkjzR6fL2o=@essex.ac.uk|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName,email,transientId,givenName,|||

Still at service provider side I am getting the REMOTE_USER null.

Regards,
Vasuda.

Chad La Joie

unread,
Oct 16, 2009, 6:43:22 AM10/16/09
to shibbole...@internet2.edu
It's probably not an IdP issue but the way in which you have the SP
configured.
https://spaces.internet2.edu/display/SHIB2/NativeSPApplication

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

Peddi, Vasuda

unread,
Oct 16, 2009, 8:03:06 AM10/16/09
to shibbole...@internet2.edu
Sorry, I did not find the solution to fix this problem.

Can you explain briefly what I need to check in SP to get REMOTE_USER value?

Chad La Joie

unread,
Oct 16, 2009, 8:09:50 AM10/16/09
to shibbole...@internet2.edu
The configuration option that controls which value populates the
REMOTE_USER value is called REMOTE_USER. From the looks of your IdP log
I would guess you're trying to use the eduPersonPrincipalName as the
REMOTE_USER so that should be the attribute referenced in your
REMOTE_USER configuration setting. If that's already the case then you
need to look at the SP log as the attribute is likely being filtered out
for some reason.

Peddi, Vasuda

unread,
Oct 16, 2009, 9:34:12 AM10/16/09
to shibbole...@internet2.edu
As I mentioned we implemented VOSP (Virtual Organisation Service Provider) model, it is a combination of IDP(Proxy) and Sp(Proxy).
I am getting the REMOTE_USER header value after sending the attribute to proxy SP by HO-IdP. this proxy SP passes the handler to proxy IdP which send the attributes to individual SP. Here I am not getting the REMOTE_USER header value.

I am using the remote user login handler in the proxy-idp (to avoid the second time authentication)
<LoginHandler xsi:type="RemoteUser" authenticationDuration="3000">

<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler>

in Apache-httpd.conf(proxy server) we are protecting the proxy-idp as
<Location /idp/profile/SAML2/Redirect/SSO>
AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
ShibUseHeaders On
require valid-user
require affiliation
</Location>
<Location /idp/Authn/RemoteUser>
AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
ShibUseHeaders On
require valid-user
require affiliation
</Location >

Please help me to get the value of REMOTE_USER which will be used in application.

Scott Cantor

unread,
Oct 16, 2009, 10:36:31 AM10/16/09
to shibbole...@internet2.edu
> Please help me to get the value of REMOTE_USER which will be used in
> application.

I have zero idea what you're talking about here (which is why I deleted all of that email). The IdP and the SP are the only things we support here. Anything else you're doing is not Shibboleth, it's something else you have to deal with separately.

First, you need to understand how REMOTE_USER is set, which Chad pointed you to, and determine whether it's being set *on that web server*. You pick one or more attribute IDs to map into REMOTE_USER, and ensure that you've mapped the right SAML attribute names to those IDs.

If the SP Apache log shows it set, then it's set. If not, then the IdP isn't releasing one of the mapped attributes or it's being filtered out. Probably the former.

-- Scott


Reply all
Reply to author
Forward
0 new messages