Get Shibboleth environment variables with Python

Peter Schober peter.schober at
Tue May 13 11:13:38 EDT 2014

* James Dore <james.dore at> [2014-05-13 16:42]:
> How do I capture the Shibboleth environment variables with Python?
> I’ve written a small script that dumps out all the OS variables
> which Python can see, and it runs immediately after a Shibboleth
> login. I was expecting to see REMOTE_USER at least, but it does not
> appear.

Leave Python out of it at first (same goes for any language/API).

First check httpd's access log, it will log REMOTE_USER if it is set.
Then (assuming there's nothing) look at your shibboleth2.xml where
you'll find the precedence list of attribute ids (referencing
attribute-map.xml entries) which will populate REMOTE_USER in order of
them being set (i.e., having a value).
To see what the IDP sent (presumably none of the attributs currently
tried for REMOTE_USER) check the Shib SP's transaction.log
Possibly the IDP did not send any of those attributes so REMOTE_USER
is empty.

> Am I considering the correct environment variables? Do I need to do
> something within the shibd config to enable it?

You can point your code at any envvar you want, but REMOTE_USER is OK
and also allows you to iterate over several candidate attributes
without writing your own code for that. On-the-wire attribute names
are already abstracted in attribute-map.xml, so you could also change
mappings there.

As for Python and accessing REMOTE_USER, it depends on how you're
integrating with the webserver. E.g. for WSGI there are different
methods (e.g. request.environ in Flask/Werkzeug) than for CGI
And of course any envvars (and REMOTE_USER) will only be visible in
the same process, i.e., if you're running one of the "embedded" Python
webservers and merely proxying to that from httpd you'll have to use
HTTP request headers, not envvars, and hence you won't get REMOTE_USER

More information about the users mailing list