Capturing SAML Attributes from the IDP

Nate Klingenstein ndk at internet2.edu
Fri May 31 13:46:47 EDT 2013 

In addition to Mike's response, this wiki article may prove helpful:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess

If you absolutely need to inspect the assertion, you can do it by calling this:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionExport

On May 31, 2013, at 17:39 , Mike Flynn wrote:

Your page at the protected resource can interrogate the response headers for the attributes and some other Shib parameters.  Are you looking to get the actual assertion itself to examine it?  If so you can turn on debugging in the logger config files and get the assertions in the logs.

________________________________
From: Jim Hoy <jim.hoy at acatar.com>
To: "users at shibboleth.net" <users at shibboleth.net>
Sent: Friday, May 31, 2013 10:21 AM
Subject: Capturing SAML Attributes from the IDP

I suppose this is a lifecycle  issue, and please excuse the question if it’s stupid one, but… As I see it, the process goes like this:

1.       User requests a Shib-protected resource.

2.       The Shibboleth ISAPI filter (as this is Windows/IIS) intercepts the request and directs the user to the IDP (only one IDP here)

3.       The user logs in successfully

4.       The browser is redirected (HTTP 302) back to /Shibboleth.sso/SAML2/POST

5.       The ISAPI filter does another 302 redirection to my secured content (/secure), which is now available to the authenticated user.

At step #4, I look at the HTTP request and see that there are form variables posted to the HTTP-POST handler (Shibboleth.sso/SAML2/POST). The form variables includes one called SAMLResponse which is the base 64-encoded SAML XML. This information is apparently discarded when the 302 redirect happens from the HTTP-POST handler to the /secure URL.

My question is a simple one: How do I access the SAMLResponse in this process? I need to extract the list of attributes for use elsewhere in my application, and I’m green-horned enough to not understand what I do at this point to actually get to the attributes I’ve just received.

Thanks for your help (and for not laughing too hard)



--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130531/b9b80a2b/attachment.html

More information about the users mailing list