Can't find attribute REMOTE_USER value in https request

Tony Ennis tennis at eagle6.com
Wed Jul 18 10:33:07 EDT 2018 

>* Tony Ennis <tennis at eagle6.com> [2018-07-18 15:46]:
>> I don't know if my application endpoint is explicitly secured by
>> Shib SP or not.

>Well, who else should know? You don't know and you also don't provide
>any technical details.

Well, "explicitly secured" sounded like a specific technical thing, and I didn't

want to say that it was secured when it wasn't done in some specific way.

For example, my SP does not automatically intercept web requests to my

app's endpoints. However, I have a decorator in my endpoints that redirects

to the SP whenever an endpoint is accessed and there's no shib session.

That is in accordance to the document given to me by the client.


I didn't provide any technical details because I didn't just want to puke all

my configurations on this message, and my configs are on a secure server;

getting them out is not easy.

>* Tony Ennis <tennis at eagle6.com> [2018-07-17 21:46]:
>> I am using Apache and Shib SP for SSO, and Flask/uwsgi to serve my application.
[...]
>> My nginx-powered endpoint checks for a Shib cookie and if not
>> present in the http request, redirects to the Shib login.

>So you're running both Apache httpd *and* Nginx for the same resource?
>Why? The Shib SP can be used with Nginx, too, if you positively
>require Nginx but not httpd.

Not your problem, but that's how the container was delivered to me by the

devops team.  But thank you, that gives me a different avenue. I would

prefer to not use httpd.

>Other than that I don't understand what the above means, so it's
>likely a hint that something weird going on in your deployment.

Yes, lol.

>> I don't have any confidence that Shib SP is creating REMOTE_USER at
>> all.

>If it's protecting content (or configured as I suggested before, which
>you didn't not comment on at all) it httpd will log REMOTE_USER in
>httpd's access log.


I did add your config, thank you for that. After restarting, I did not see

a difference in the logs. But I suspect my logs are not configured properly

as I never see any particularly detailed data. I see DEBUG level, which is

supposed to be pretty spammy. Instead, I see one-liners that pretty much

say, "This shib endpoint was called".



[Rivera Group]<http://www.riverainc.com>
Tony Ennis
Chief Architect
tennis at riverainc.com<mailto:tennis at riverainc.com> | Rivera Group<http://www.riverainc.com>
O: 812.246.4055

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
Sent: Wednesday, July 18, 2018 9:59:18 AM
To: users at shibboleth.net
Subject: Re: Can't find attribute REMOTE_USER value in https request

External Email! Do not click any links or open any attachments unless you trust the sender and know the content is safe.
________________________________

* Tony Ennis <tennis at eagle6.com> [2018-07-18 15:46]:
> I don't know if my application endpoint is explicitly secured by
> Shib SP or not.

Well, who else should know? You don't know and you also don't provide
any technical details.

* Tony Ennis <tennis at eagle6.com> [2018-07-17 21:46]:
> I am using Apache and Shib SP for SSO, and Flask/uwsgi to serve my application.
[...]
> My nginx-powered endpoint checks for a Shib cookie and if not
> present in the http request, redirects to the Shib login.

So you're running both Apache httpd *and* Nginx for the same resource?
Why? The Shib SP can be used with Nginx, too, if you positively
require Nginx but not httpd.

Other than that I don't understand what the above means, so it's
likely a hint that something weird going on in your deployment.

> I don't have any confidence that Shib SP is creating REMOTE_USER at
> all.

If it's protecting content (or configured as I suggested before, which
you didn't not comment on at all) it httpd will log REMOTE_USER in
httpd's access log.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
________________________________
Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180718/1b899ed4/attachment.html>

More information about the users mailing list