Delegated Auth with

Eric Dalquist eric.dalquist at
Thu Nov 3 17:19:31 GMT 2011

We turned on mod_log_forensic and see the following for the request in 
the forensic log:

+22677:4eb2cc10:13|GET /secure/printenv 

That seems to show the PAOS header coming through as expected. Is there 
any way to turn up logging for mod_shib and/or the SP so that it dumps 
out what it is seeing for headers?


On 11/02/2011 11:31 AM, Cantor, Scott wrote:
> On 11/2/11 12:10 PM, "Eric Dalquist"<eric.dalquist at>  wrote:
>> We had it working about a year ago but never rolled it out passed test
>> environments. When we got it working I think we were on 2.3.1 for the SP
>> and 2.2.1 for the IdP. We're on 2.4.3 for the SP and 2.3.2 for the IdP
>> now.
> The SP has a bug when you use the new<SSO>  syntax, but you're not doing
> that here, so the ECP support is basically the same as it was.
>> Just out of curiosity, what version of the SP is that
>> site running?
> 2.4.2 apparently.
>> Any tips for things we should look for in our Apache
>> config that could be preventing the headers from getting passed to the SP?
> I have to think they're getting broken out ahead of it. All you could
> probably do there is try and log them, maybe, or dump them out with a test
> script to see if it sees them.
> The code doesn't "fall back" to non-ECP if the headers are there. I just
> checked that specifically. There are various errors it will throw out if
> it thinks it's an ECP client and then finds anything wrong, so the problem
> should be with the headers.
> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the users mailing list