identifier precedence list on MS-IIS

Cantor, Scott cantor.2 at
Tue Sep 23 09:54:00 EDT 2014

On 9/23/14, 7:49 AM, "Peter Schober" <peter.schober at> wrote:

>A vendor has chosen MS-IIS to host their Shib SP, I'm trying to
>support them in their configuration.
>I'm aware MS-IIS does not have REMOTE_USER and from reading
>I'm assuming there's also no way to access the 'header variable
>(internally named "remote-user")' directly?

There is, it's a header like any other, it's just not advisable because
apart from the one exception of Cold Fusion, it really just makes code
more confusing.

>Given that relying on HTTP_REMOTE_USER is discouraged, am I correct
>that then there's no support for an identifier precedence list on
>MS-IIS (using the SP's ApplicationDefaults/@REMOTE_USER), iterating
>over all possible attributes, and as such that this would have to be
>implemented in application code?

If you really want that capability, that's the reason for using

>Would the SP architecture allow to add a feature to map the result of
>ApplicationDefaults/@REMOTE_USER to a custom attribute/header name?
>I doubt it, as REMOTE_USER uses the output from the attribute map as
>it's input, but I thought I'd ask.

No, it's the other way around, as you say.

-- Scott

More information about the users mailing list