Can't find attribute REMOTE_USER value in https request

Peter Schober peter.schober at
Wed Jul 18 11:25:49 EDT 2018

* Tony Ennis <tennis at> [2018-07-18 16:33]:
> >> I don't know if my application endpoint is explicitly secured by
> >> Shib SP or not.
> >Well, who else should know? You don't know and you also don't provide
> >any technical details.
> Well, "explicitly secured" sounded like a specific technical thing

I would have understood it in that way, yes. Meaning active protection
or at least passive/lazy sessions, as per the software's documentation:

> For example, my SP does not automatically intercept web requests to
> my app's endpoints. However, I have a decorator in my endpoints that
> redirects to the SP whenever an endpoint is accessed and there's no
> shib session.

While that's relevant to a certain degree it does not help to
determine whether the SP software actually is invoked for requests
that go to httpd. Only if that's the case will the attributes be

(REMOTE_USER will only have a value if at least one of the exact
attribute-ids mapped to it in shibboleth2.xml is available, but I'll
assume you have already checked that with your transaction.log.)

> I didn't provide any technical details because I didn't just want to
> puke all my configurations on this message, and my configs are on a
> secure server; getting them out is not easy.

Let's pretend there's a middle ground between pasting the whole config
here without without any discrimination and making some rough
statements about what you've done (e.g. "I've installed and configured
the software according to the docs and protected some resournce on my
server following the example from the wiki page XYZ.")

> >* Tony Ennis <tennis at> [2018-07-17 21:46]:
> >> I am using Apache and Shib SP for SSO, and Flask/uwsgi to serve my application.
> [...]
> >> My nginx-powered endpoint checks for a Shib cookie and if not
> >> present in the http request, redirects to the Shib login.
> >So you're running both Apache httpd *and* Nginx for the same resource?
> >Why? The Shib SP can be used with Nginx, too, if you positively
> >require Nginx but not httpd.
> Not your problem, but that's how the container was delivered to me
> by the devops team.

Indeed, none of this here is my problem.

Then why am I commenting on this: You're asking for help here. And you
may just be doing something that cannot possibly work. No way for me
to tell without any specifics, but running 2 full-blown web servers on
the same machine is a warning sign if I ever saw one.

> I did add your config, thank you for that. After restarting, I did
> not see a difference in the logs. But I suspect my logs are not
> configured properly as I never see any particularly detailed data. I
> see DEBUG level, which is supposed to be pretty spammy. Instead, I
> see one-liners that pretty much say, "This shib endpoint was
> called".

Note that I was referring to httpd log files, not the Shib SP's logs.
Are you saying you don't have access to httpd logs, either?

So I'd make sure:

* my transaction.log says that it revieced and mapped an attribute
  with the exact id that I have configured in the SP's REMOTE_USER
  predecence list.
  (otherwise also check for lines with "skipping" in shibd.log)

* you access a resource you have configured in httpd to be "protected"
  by the Shib SP, at least lazily ("auth shibboleth" and "require

* that httpd's access log shows something other than " - - " for the
  authenticated subject (assuming common log format).


More information about the users mailing list