Can't find attribute REMOTE_USER value in https request

Tony Ennis tennis at
Wed Jul 18 09:46:03 EDT 2018

Thank you for the response.  I don't know if my application endpoint is explicitly secured by Shib SP or not. My nginx-powered endpoint checks for a Shib cookie and if not present in the http request, redirects to the Shib login.

I don't have any confidence that Shib SP is creating REMOTE_USER at all.  My log files don't give me any detailed information even though everything is set to the DEBUG level. I can see which SP endpoints are being accessed, the http verb, status, and bytecount. But no XML or anything that tells me what's really happening.

[Rivera Group]<>
Tony Ennis
Chief Architect
tennis at<mailto:tennis at> | Rivera Group<>
O: 812.246.4055

From: users <users-bounces at> on behalf of Peter Schober <peter.schober at>
Sent: Wednesday, July 18, 2018 4:39:10 AM
To: users at
Subject: Re: Can't find attribute REMOTE_USER value in https request

External Email! Do not click any links or open any attachments unless you trust the sender and know the content is safe.

* Tony Ennis <tennis at> [2018-07-17 21:46]:
> I seem to successfully log in using my SP and IdP.  I get redirected
> back to my application. A shib cookie is defined. I dump the environ
> variables (and all other data structures) from the http request and
> REMOTE_USER is not defined. I then use the same browser window and
> check the session with the SSO and my variables are displayed.

You're probably just accessing a resource that has no protection by
the Shib SP configured, neither active nor passive/lazy.

Assuming use of Apache httpd, the following would make attributes
appear on all requests, but would not enforce creation of a session if
there wasn't one:

<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list