identifier precedence list on MS-IIS
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 23 09:54:00 EDT 2014
On 9/23/14, 7:49 AM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>A vendor has chosen MS-IIS to host their Shib SP, I'm trying to
>support them in their configuration.
>I'm aware MS-IIS does not have REMOTE_USER and from reading
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAcce
>ss#NativeSPAttributeAccess-REMOTE_USER
>I'm assuming there's also no way to access the 'header variable
>(internally named "remote-user")' directly?
There is, it's a header like any other, it's just not advisable because
apart from the one exception of Cold Fusion, it really just makes code
more confusing.
>Given that relying on HTTP_REMOTE_USER is discouraged, am I correct
>that then there's no support for an identifier precedence list on
>MS-IIS (using the SP's ApplicationDefaults/@REMOTE_USER), iterating
>over all possible attributes, and as such that this would have to be
>implemented in application code?
If you really want that capability, that's the reason for using
HTTP_REMOTEUSER, I guess.
>Would the SP architecture allow to add a feature to map the result of
>ApplicationDefaults/@REMOTE_USER to a custom attribute/header name?
>I doubt it, as REMOTE_USER uses the output from the attribute map as
>it's input, but I thought I'd ask.
No, it's the other way around, as you say.
-- Scott
More information about the users
mailing list