[Shib-Users] Shibboleth attribute assertion as headers

90 views
Skip to first unread message

Ketly Jean-Pierre

unread,
Sep 24, 2009, 3:21:45 PM9/24/09
to shibbole...@internet2.edu
Hello,

I am using java with a tomcat container, and apache server.  I have a SP set up on Windows Vista, and an IdP set up on Ubuntu 9.04.  On my Windows Vista machine I have a web application.  I am trying to retrieve, pass, and display all Shibboleth Headers, but specifically the Shibboleth assertion to pass to my application.  I have made an insertion to my shibboleth2.xml file to include exportAssertion="true" and exportLocation="https://my.servername.com/Shibboleth.sso/GetAssertion" and set ShibUseHeaders to On in my httpd.conf file.  I tried to extract the specific "Shib-Assertion-01", but nothing.  I then set some code that will print all headers the only thing is that no shibboleth header's show.  Is there something I'm not doing.  I am not sure if there is something that I would need to set in the attribute-filter.xml or attribute-resolver.xml.

--
Ketly Jean-Pierre
Dept. of Systems & Computer Science
CS Graduate Studies President
Sun Campus Ambassador
Howard University

Scott Cantor

unread,
Sep 24, 2009, 4:12:18 PM9/24/09
to shibbole...@internet2.edu
Ketly Jean-Pierre wrote on 2009-09-24:
> I am using java with a tomcat container, and apache server. I have a SP
set
> up on Windows Vista, and an IdP set up on Ubuntu 9.04. On my Windows
Vista
> machine I have a web application. I am trying to retrieve, pass, and
> display all Shibboleth Headers, but specifically the Shibboleth assertion
to
> pass to my application. I have made an insertion to my shibboleth2.xml
file
> to include exportAssertion="true" and
> exportLocation="https://my.servername.com/Shibboleth.sso/GetAssertion" and
> set ShibUseHeaders to On in my httpd.conf file.

Firstly, it's not terribly common to need to do any of this, so unless you
have a good reason, it's probably moot. Secondly, you should be very careful
about using a non-localhost URL as a callback location, and if you do you'd
better be sure to include an exportACL property as well.

Otherwise, that's all correct and it would be working if your RequestMap was
working. So it apparently isn't, and my advice is not to use the RequestMap
and simply attach the exportAssertion setting to Apache with
ShibRequestSetting. That's all finally documented now.



> I tried to extract the
> specific "Shib-Assertion-01", but nothing. I then set some code that will
> print all headers the only thing is that no shibboleth header's show.

Then your request to the script isn't being protected, period.

-- Scott


Reply all
Reply to author
Forward
0 new messages