Capturing SAML Attributes from the IDP

Jim Hoy jim.hoy at
Fri May 31 16:06:09 EDT 2013

In the server variables on my protected content, I do see the various shib variables:


I also see the othe variables added by shib:


What I don't see are the values I actually need. Specifically (to my instance). Consider the following pulled from the SAML response (taken from /Shibboleth.sso/SAML2/POST

<saml2:Attribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml2:AttributeValue xmlns:xsi="" xsi:type="xs:string">John Doe</saml2:AttributeValue>

Once I reach my protected content, I see no way to access this variable or any other returned from the IDp except those which have been assigned to one of the various HTTP server variables listed above.

Once I reach my secure content, what would I reference to get the name "John Doe" as is the value in the provided XML?

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Friday, May 31, 2013 2:26 PM
To: Shib Users
Subject: RE: Capturing SAML Attributes from the IDP

> I need to get a collection of all of these values… If not during the 
> login procedure as defined previously, then at some point after the 
> redirection completes.

Nate directed you at the basic documentation on it.

The job of the SP and its attribute extraction layer is to turn the data you seem to want to look at (SAML) into what the SP expects you want to look at (decoded, normalized, locally tailored).

If you're on IIS, the only access to the data is via request headers populated by the filter, which is described on the page.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list