shibboleth 3 SP not outputting attributes ?

Leigh Kennedy Leigh.Kennedy at qlik.com
Wed Aug 15 01:12:36 EDT 2018 

Hi All,

We have a legacy product that does not support SAML OOTB, so 2+ years ago I documented how to configure this with Shib v2 & IIS. I am trying to update this to V3 and am not getting the headers (or variables) coming through. My requirement is incredibly simple - just pass through the users identifer as a header.
I have gotten the SAML working and /Shibboleth.sso/Session shows:
Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: fe80::6118:242a:7:97d8%3
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: http://ADFS.wxyzlocal.net/adfs/services/trust
Authentication Time: 2018-08-14T13:12:16.201Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
eppn: wxyz at wxyzlocal.net
upn: wxyz at wxyzlocal.net
Either of these (as they are really the same thing) would be fine to use.

I have set use headers to true (twice - I am sure the second is redundant):
<InProcess>
    <ISAPI normalizeRequest="true" safeHeaderNames="true" useHeaders="true">
        <Site id="1" name="myserver" scheme="https" port="443" useHeaders="true" />
    </ISAPI>
</InProcess>
I am trying to set the header the same way I was in v2 ( I don't need the header to be remoteuser, but that is what worked in V2) :
<ApplicationDefaults entityID="https://myserver/shibboleth" homeURL="/myapp/index.htm" REMOTE_USER="eppn">
And I have tried to pass through all attributes:
<afp:AttributeFilterPolicy>
<!--  This policy is in effect in all cases.  -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!--
Filter out undefined affiliations and ensure only one primary.
-->
<!--
Catch-all that passes everything else through unmolested.
-->
<afp:AttributeRule attributeID="*" permitAny="true"/>
</afp:AttributeFilterPolicy>
Now, I am sure it is something I have done, but I am stuck. outputting the data (using the aspx code from the documentation I see "REMOTE_USER = " under server variables and don't see it at all under headers.
Any idea what I have missed/what has changed?
NB:  Full output from aspx is below.  I see no reference to Shib at all other than the cookie..

Server Variables
ALL_HTTP = HTTP_CONNECTION:close HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_ENCODING:gzip, deflate, br HTTP_ACCEPT_LANGUAGE:en-US,en;q=0.5 HTTP_COOKIE:_shibsession_64656661756c7468747470733a2f2f716d692d71762d6969732f73686962626f6c657468=_26f717623595cc347947fbf32fb7a852; AccessPointSession=60862363-1334-1d2f-bdff-9133d205811e HTTP_HOST:myserver HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 HTTP_UPGRADE_INSECURE_REQUESTS:1
ALL_RAW = Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cookie: _shibsession_64656661756c7468747470733a2f2f716d692d71762d6969732f73686962626f6c657468=_26f717623595cc347947fbf32fb7a852; AccessPointSession=60862363-1334-1d2f-bdff-9133d205811e Host: myserver User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 upgrade-insecure-requests: 1
APPL_MD_PATH = /LM/W3SVC/1/ROOT/test
APPL_PHYSICAL_PATH = C:\inetpub\test\
AUTH_TYPE =
AUTH_USER =
AUTH_PASSWORD =
LOGON_USER =
REMOTE_USER =
CERT_COOKIE =
CERT_FLAGS =
CERT_ISSUER =
CERT_KEYSIZE = 256
CERT_SECRETKEYSIZE = 2048
CERT_SERIALNUMBER =
CERT_SERVER_ISSUER = CN=myserver
CERT_SERVER_SUBJECT = CN=myserver
CERT_SUBJECT =
CONTENT_LENGTH = 0
CONTENT_TYPE =
GATEWAY_INTERFACE = CGI/1.1
HTTPS = on
HTTPS_KEYSIZE = 256
HTTPS_SECRETKEYSIZE = 2048
HTTPS_SERVER_ISSUER = CN=myserver
HTTPS_SERVER_SUBJECT = CN=myserver
INSTANCE_ID = 1
INSTANCE_META_PATH = /LM/W3SVC/1
LOCAL_ADDR = fe80::6118:242a:7:97d8%3
PATH_INFO = /test/test.aspx
PATH_TRANSLATED = C:\inetpub\test\test.aspx
QUERY_STRING =
REMOTE_ADDR = fe80::6118:242a:7:97d8%3
REMOTE_HOST = fe80::6118:242a:7:97d8%3
REMOTE_PORT = 49699
REQUEST_METHOD = GET
SCRIPT_NAME = /test/test.aspx
SERVER_NAME = myserver
SERVER_PORT = 443
SERVER_PORT_SECURE = 1
SERVER_PROTOCOL = HTTP/1.1
SERVER_SOFTWARE = Microsoft-IIS/10.0
URL = /test/test.aspx
HTTP_CONNECTION = close
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING = gzip, deflate, br
HTTP_ACCEPT_LANGUAGE = en-US,en;q=0.5
HTTP_COOKIE = _shibsession_64656661756c7468747470733a2f2f716d692d71762d6969732f73686962626f6c657468=_26f717623595cc347947fbf32fb7a852; AccessPointSession=60862363-1334-1d2f-bdff-9133d205811e
HTTP_HOST = myserver
HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
HTTP_UPGRADE_INSECURE_REQUESTS = 1
HTTP HEADERS
Connection = close
Accept = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding = gzip, deflate, br
Accept-Language = en-US,en;q=0.5
Cookie = _shibsession_64656661756c7468747470733a2f2f716d692d71762d6969732f73686962626f6c657468=_26f717623595cc347947fbf32fb7a852; AccessPointSession=60862363-1334-1d2f-bdff-9133d205811e
Host = myserver
User-Agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
upgrade-insecure-requests = 1
Thanks

Leigh Kennedy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180815/a45c2d0d/attachment.html>

More information about the users mailing list