Capturing SAML Attributes from the IDP

Jim Hoy jim.hoy at acatar.com
Fri May 31 16:06:09 EDT 2013 

In the server variables on my protected content, I do see the various shib variables:

HTTP_SHIBSPOOFCHECK
HTTP_SHIB_APPLICATION_ID
....
HTTP_SHIB_SESSION_INDEX

I also see the othe variables added by shib:

HTTP_AFFILIATION
HTTP_ENTITLEMENT
HTTP_EPPN
....

What I don't see are the values I actually need. Specifically (to my instance). Consider the following pulled from the SAML response (taken from /Shibboleth.sso/SAML2/POST

----------------------------------
<saml2:Attribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>
---------------------------------

Once I reach my protected content, I see no way to access this variable or any other returned from the IDp except those which have been assigned to one of the various HTTP server variables listed above.

Once I reach my secure content, what would I reference to get the name "John Doe" as is the value in the provided XML?


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, May 31, 2013 2:26 PM
To: Shib Users
Subject: RE: Capturing SAML Attributes from the IDP

> I need to get a collection of all of these values… If not during the 
> login procedure as defined previously, then at some point after the 
> redirection completes.

Nate directed you at the basic documentation on it.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess

The job of the SP and its attribute extraction layer is to turn the data you seem to want to look at (SAML) into what the SP expects you want to look at (decoded, normalized, locally tailored).

If you're on IIS, the only access to the data is via request headers populated by the filter, which is described on the page.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list