Get Shibboleth environment variables with Python

Cantor, Scott cantor.2 at
Wed May 14 12:32:30 EDT 2014

On 5/14/14, 11:00 AM, "James Dore" <james.dore at> wrote:
>>Leave Python out of it at first (same goes for any language/API).
>> First check httpd's access log, it will log REMOTE_USER if it is set.
>Ah - nothing is logged.

That's not consistent with the rest of your post, if the log you're
looking at is the one where the SP is running, since your log shows EPPN
being received and it's mapped to REMOTE_USER.

>Being a novice, my googling brought a few warnings about the relative
>insecurity of using http headers. Is this a practical security issue, or
>one that is theoretically exploitable but requires a lot of effort?

It's trivial to exploit if you don't completely lock down the access to
the server being proxied, but that's a consequence of using proxies,
that's just how it is. You don't have a choice in the matter if you're
trying to write code to consume identity that isn't running in a web
server that itself is handling the authentication.

-- Scott

More information about the users mailing list