Cantor, Scott cantor.2 at
Wed May 15 14:53:41 EDT 2013

On 5/15/13 2:04 PM, "James Forrest" <jamesforrest56 at> wrote:

>Would somebody please be kind enough to walk me through the steps
>required to  pass the authenticated username (as input by the end user)
>through from the IdP and the Sp to Apache.

Well, you need to define an attribute definition that establishes the
value in some way based on the requestContext.principalName data. There is
no such thing as "username" in SAML, you have to encode it into some
Attribute, such as eduPersonPrincipalName, or as a SAML NameID in some
custom format.

Then you need to release the relevant attribute ID within the IdP to the

Then you need to ensure there's an attribute mapping on the SP end into an
attribute ID there.

And finally, you have to set REMOTE_USER in shibboleth2.xml to include at
least that attribute ID in the precedence list to populate from.

-- Scott

More information about the users mailing list