Get Shibboleth environment variables with Python

James Dore james.dore at
Tue May 13 11:30:33 EDT 2014

Hi Peter,

That’s all phenomenally useful. Thanks!


On 13 May 2014, at 16:13, Peter Schober <peter.schober at> wrote:

> * James Dore <james.dore at> [2014-05-13 16:42]:
>> How do I capture the Shibboleth environment variables with Python?
>> I’ve written a small script that dumps out all the OS variables
>> which Python can see, and it runs immediately after a Shibboleth
>> login. I was expecting to see REMOTE_USER at least, but it does not
>> appear.
> Leave Python out of it at first (same goes for any language/API).
> First check httpd's access log, it will log REMOTE_USER if it is set.
> Then (assuming there's nothing) look at your shibboleth2.xml where
> you'll find the precedence list of attribute ids (referencing
> attribute-map.xml entries) which will populate REMOTE_USER in order of
> them being set (i.e., having a value).
> To see what the IDP sent (presumably none of the attributs currently
> tried for REMOTE_USER) check the Shib SP's transaction.log
> Possibly the IDP did not send any of those attributes so REMOTE_USER
> is empty.
>> Am I considering the correct environment variables? Do I need to do
>> something within the shibd config to enable it?
> You can point your code at any envvar you want, but REMOTE_USER is OK
> and also allows you to iterate over several candidate attributes
> without writing your own code for that. On-the-wire attribute names
> are already abstracted in attribute-map.xml, so you could also change
> mappings there.
> As for Python and accessing REMOTE_USER, it depends on how you're
> integrating with the webserver. E.g. for WSGI there are different
> methods (e.g. request.environ in Flask/Werkzeug) than for CGI
> (os.environ).
> And of course any envvars (and REMOTE_USER) will only be visible in
> the same process, i.e., if you're running one of the "embedded" Python
> webservers and merely proxying to that from httpd you'll have to use
> HTTP request headers, not envvars, and hence you won't get REMOTE_USER
> directly.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list