how do I read attributes from headers??
1,491 views
Skip to first unread message
Sridhar Sripathy
Nov 3, 2011, 11:36:14 PM11/3/11
to us...@shibboleth.net
Hi,
I am new to Shibboleth and SAML in general.
I have the Shibboleth SP agent configured for an IIS7 web app and I have a SAML Tracer plugin showing that the SAML response getting posted from IdP to SP (see below). I have a ASP .NET application and all I am trying to do is read the SAMLResponse or look at the attributes pushed to me by IdP. I have the attribute-map.xml configured correctly to map the attributes
All the ASP .NET page is doing is dumping the Headers and this is all I see as below. How do I read the attributes from my ASP .NET page? I see the attributes sent over from SP to IdP when I use https://../Shibboleth.sso/Session URL
Are the headers appendd to the encrypted session cookie? Or I need some IIS 7 config change to enable seeing the attrs as headers?
HTTP Headers retrieved
Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cookie: _shibsession_64656661756c7468747470733a2f2f6c61626974303277696e3230303872322e626f632e61642e63656e7375732e111116f6c657468=_12d45c41fade37e34f3bf56531ccfff5; ASPSESSIONIDSETDRSSA=BGJNCC11DIE Host: mySP.test.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 ShibSpoofCheck: 630984012180204917122709628663327597330
HTTP_CONNECTION:keep-alive
HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_CHARSET:ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:gzip, deflate
HTTP_ACCEPT_LANGUAGE:en-us,en;q=0.5
HTTP_COOKIE:_shibsession_64656661756c7468741111111111111111141fade37e34f3bf56531ccfff5; ASPSESSIONIDSETDRSSA=BGJNCCOAAdNKIKODIE
HTTP_HOST:mySP.test.org
HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
HTTP_SHIBSPOOFCHECK:63098401218020491712211111163327597330
The SAML Trace
POST https://mySP.test.org/Shibboleth.sso/SAML2/POST HTTP/1.1
Host: mySP.test.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://myIDP.test.org:8443/nidp/saml2/sso?SAMLRequest=BCrgRqpWqu31tuqzCNhtVRX%2BealnYeC0kBOg%2BWxMyU5gc3GF67b8u3o0%2F0fR4Cr56XqGL8DnFD27d6TVstCdbD68vOv0cWEEtyJDIcLz88jfjzP%2FBA%3D%3D&RelayState=ss%3Amem%3A24015e300d441c49064db74d4715de54
Cookie: _shibsession_111111c7468747470733a2f2f6c61626974303277696e3230303872322e626f632e61642e63656e7375732e676f711111111168=_c1ad885514cf14a54e11; ASPSESSIONIDSETDRSSA=BGJNCCOAALDAN11IKODIE
Content-Type: application/x-www-form-urlencoded
Content-Length: 8216
HTTP/?.? 302 Moved
Cache-Control: private,no-store,no-cache
Content-Length: 40
Content-Type: text/html
Expires: 01-Jan-1997 12:00:00 GMT
Location: https://mySP.test.org/vlabsample/Consume.aspx
Server: Microsoft-IIS/7.5
Set-Cookie: _shibsession_64656661756c74687111111111111303277696e3230303872322e626f632e61642e63656e7375732e676f762f73702f736869621111168=_12d45c41fade37e34f3bf56531ccfff5; path=/
X-Powered-By: ASP.NET
Date: Thu, 27 Oct 2011 21:00:38 GMT
The Session Info
Miscellaneous
Client Address: 10.10.25.aaaa
Identity Provider: https://myIDP.test.org:8443/nidp/saml2/metadata
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2011-10-27T20:57:14Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: secure/name/password/uri
Session Expiration (barring inactivity): 464 minute(s)
Attributes
cn- John Doe
sn: Doe
givenName: John
persistent-id: https://myIDP.test.org:8443/nidp/saml2/metadata!https://mySP.test.org/sp/shibboleth!S+H/+RVa1FJgYsssshGAWg7tg==
I am new to Shibboleth and SAML in general.
I have the Shibboleth SP agent configured for an IIS7 web app and I have a SAML Tracer plugin showing that the SAML response getting posted from IdP to SP (see below). I have a ASP .NET application and all I am trying to do is read the SAMLResponse or look at the attributes pushed to me by IdP. I have the attribute-map.xml configured correctly to map the attributes
All the ASP .NET page is doing is dumping the Headers and this is all I see as below. How do I read the attributes from my ASP .NET page? I see the attributes sent over from SP to IdP when I use https://../Shibboleth.sso/Session URL
Are the headers appendd to the encrypted session cookie? Or I need some IIS 7 config change to enable seeing the attrs as headers?
HTTP Headers retrieved
Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cookie: _shibsession_64656661756c7468747470733a2f2f6c61626974303277696e3230303872322e626f632e61642e63656e7375732e111116f6c657468=_12d45c41fade37e34f3bf56531ccfff5; ASPSESSIONIDSETDRSSA=BGJNCC11DIE Host: mySP.test.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 ShibSpoofCheck: 630984012180204917122709628663327597330
HTTP_CONNECTION:keep-alive
HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_CHARSET:ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:gzip, deflate
HTTP_ACCEPT_LANGUAGE:en-us,en;q=0.5
HTTP_COOKIE:_shibsession_64656661756c7468741111111111111111141fade37e34f3bf56531ccfff5; ASPSESSIONIDSETDRSSA=BGJNCCOAAdNKIKODIE
HTTP_HOST:mySP.test.org
HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
HTTP_SHIBSPOOFCHECK:63098401218020491712211111163327597330
The SAML Trace
POST https://mySP.test.org/Shibboleth.sso/SAML2/POST HTTP/1.1
Host: mySP.test.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://myIDP.test.org:8443/nidp/saml2/sso?SAMLRequest=BCrgRqpWqu31tuqzCNhtVRX%2BealnYeC0kBOg%2BWxMyU5gc3GF67b8u3o0%2F0fR4Cr56XqGL8DnFD27d6TVstCdbD68vOv0cWEEtyJDIcLz88jfjzP%2FBA%3D%3D&RelayState=ss%3Amem%3A24015e300d441c49064db74d4715de54
Cookie: _shibsession_111111c7468747470733a2f2f6c61626974303277696e3230303872322e626f632e61642e63656e7375732e676f711111111168=_c1ad885514cf14a54e11; ASPSESSIONIDSETDRSSA=BGJNCCOAALDAN11IKODIE
Content-Type: application/x-www-form-urlencoded
Content-Length: 8216
HTTP/?.? 302 Moved
Cache-Control: private,no-store,no-cache
Content-Length: 40
Content-Type: text/html
Expires: 01-Jan-1997 12:00:00 GMT
Location: https://mySP.test.org/vlabsample/Consume.aspx
Server: Microsoft-IIS/7.5
Set-Cookie: _shibsession_64656661756c74687111111111111303277696e3230303872322e626f632e61642e63656e7375732e676f762f73702f736869621111168=_12d45c41fade37e34f3bf56531ccfff5; path=/
X-Powered-By: ASP.NET
Date: Thu, 27 Oct 2011 21:00:38 GMT
The Session Info
Miscellaneous
Client Address: 10.10.25.aaaa
Identity Provider: https://myIDP.test.org:8443/nidp/saml2/metadata
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2011-10-27T20:57:14Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: secure/name/password/uri
Session Expiration (barring inactivity): 464 minute(s)
Attributes
cn- John Doe
sn: Doe
givenName: John
persistent-id: https://myIDP.test.org:8443/nidp/saml2/metadata!https://mySP.test.org/sp/shibboleth!S+H/+RVa1FJgYsssshGAWg7tg==
Brent Putman
Nov 3, 2011, 11:39:28 PM11/3/11
to us...@shibboleth.net
On 11/3/11 11:36 PM, Sridhar Sripathy wrote:
How do I read the attributes from my ASP .NET page?
This wiki page likely has the info you want. See in particular the
language-specific examples at the bottom of the page.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess
Brent Putman
Nov 4, 2011, 1:36:31 AM11/4/11
to us...@shibboleth.net
On 11/4/11 12:05 AM, ssrip...@yahoo.com wrote:
> Brent,
> I did read that do. Still confused on why attrs show up on the session info page but not when I dump headers from my ASP.NET page. I am printing out ALL headers in my ASP.NET page.
I may be mis-remembering, but I think in the ASP.NET world, the Shib
headers don't show up in the enumeration or iteration that you get from
the request structure. You have to request them individually by name.
Have you tried that?
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Mike Flynn
Nov 4, 2011, 4:05:46 PM11/4/11
to Shib Users
For my .NET C# protected resource page, the following works fine:
To iterate through all that are passed:
foreach (string key in Request.ServerVariables.AllKeys)
To reference a specific value:
value = Request.ServerVariables[key];
From: Brent Putman <put...@georgetown.edu>
To: us...@shibboleth.net
Sent: Thursday, November 3, 2011 10:36 PM
Subject: Re: how do I read attributes from headers??
Sridhar Sripathy
Nov 4, 2011, 11:38:19 PM11/4/11
to us...@shibboleth.net
I tried reading the attributes from headers using this format Request.ServerVariables["HTTP_ATTRNAME"] in and it still does not work.I can see that attrs are mapped correctly because I can see the attributes in the session summary page https://..../Shibboleth.sso/Session
Any info on what is going on between Shibboleth agent and IIS 7 that may be causing these attrs to be dropped out of the headers?
Thanks in advance.
Caskey, Paul
Nov 5, 2011, 9:10:56 AM11/5/11
to us...@shibboleth.net
Perhaps the path where you are attempting to read the attributes is not configured to require a Shibboleth session (or not even configured as session optional).
Look in your <RequestMap> in shibboleth2.xml.
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Sridhar Sripathy
Sent: Friday, November 04, 2011 10:38 PM
To: us...@shibboleth.net
Subject: Re: how do I read attributes from headers??
I tried reading the attributes from headers using this format Request.ServerVariables["HTTP_ATTRNAME"] in and it still does not work.I can see that attrs are mapped correctly because I can see the attributes in the session summary page https://..../Shibboleth.sso/Session
Cantor, Scott
Nov 5, 2011, 3:56:56 PM11/5/11
to us...@shibboleth.net
On 11/4/11 11:38 PM, "Sridhar Sripathy" <ssrip...@yahoo.com> wrote:
>
>I tried reading the attributes from headers using this format
>Request.ServerVariables["HTTP_ATTRNAME"] in and it still does not work.
The documentation tells you that Request.Headers is the preferred API for
security reasons. Beyond that, if they're not there, the SP is not
configured to see your requests.
-- Scott
Mike Flynn
Nov 7, 2011, 10:40:23 AM11/7/11
to Shib Users
You get nothing back from shib in the headers? Or specific attribs? See if you can get one of these thru request.servervariables:
HTTP_SHIB_APPLICATION_ID
HTTP_SHIB_SESSION_ID
HTTP_SHIB_IDENTITY_PROVIDER
HTTP_SHIB_AUTHENTICATION_INSTANT
HTTP_SHIB_AUTHENTICATION_METHOD
HTTP_SHIB_AUTHNCONTEXT_CLASS
HTTP_SHIB_SESSION_ID
HTTP_SHIB_IDENTITY_PROVIDER
HTTP_SHIB_AUTHENTICATION_INSTANT
HTTP_SHIB_AUTHENTICATION_METHOD
HTTP_SHIB_AUTHNCONTEXT_CLASS
From: Sridhar Sripathy <ssrip...@yahoo.com>
To: "us...@shibboleth.net" <us...@shibboleth.net>
Sent: Friday, November 4, 2011 8:38 PM
Subject: Re: how do I read attributes from headers??
I tried reading the attributes from headers using this format Request.ServerVariables["HTTP_ATTRNAME"] in and it still does not work.I can see that attrs are mapped correctly because I can see the attributes in the session summary page https://..../Shibboleth.sso/Session
Any info on what is going on between Shibboleth agent and IIS 7 that may be causing these attrs to be dropped out of the headers?
Thanks in advance.
Sridhar Sripathy
Nov 9, 2011, 11:41:08 AM11/9/11
to us...@shibboleth.net
I finally found a fix for this issue and can see the attrs in headers. I had not configured the <RequestMap> element correctly, and the path name for the <Host> was incorrect. I had wrongly assumed IIS took care of it. I guess should have read the docs a little more.
This is all I had to do:
<Host name="mySP.test.com">
<Path name="sample" authType="shibboleth" requireSession="true"/>
</Host>
Thanks for the assistance!
This is all I had to do:
<Host name="mySP.test.com">
<Path name="sample" authType="shibboleth" requireSession="true"/>
</Host>
Thanks for the assistance!
Mike Flynn
Nov 9, 2011, 12:16:44 PM11/9/11
to Shib Users
Glad you got it working!
Sent: Wednesday, November 9, 2011 8:41 AM
Subject: RE: how do I read attributes from headers??
Subject: RE: how do I read attributes from headers??
Reply all
Reply to author
Forward
0 new messages