Can't find attribute REMOTE_USER value in https request

Tony Ennis tennis at
Wed Jul 18 14:22:08 EDT 2018

To level set, the IdP login seems to work. As far as I can tell, the entire process works up to the last 2%.

I don't see REMOTE_USER being returned to my application endpoint.

Here are some of the configs and results that seem important.


Trying to verify REMOTE_USER is being set<>

I've also dumped out the entire http request when control was returned to my endpoint; I see no evidence of REMOTE_USER anywhere there.

So right now, I am trying to verify that httpd is adding REMOTE_USER. I don't see a mention of it anywhere on the httpd+shib server.

[Rivera Group]<>
Tony Ennis
Chief Architect
tennis at<mailto:tennis at> | Rivera Group<>
O: 812.246.4055

From: users <users-bounces at> on behalf of Peter Schober <peter.schober at>
Sent: Wednesday, July 18, 2018 11:25:49 AM
To: users at
Subject: Re: Can't find attribute REMOTE_USER value in https request

External Email! Do not click any links or open any attachments unless you trust the sender and know the content is safe.

* Tony Ennis <tennis at> [2018-07-18 16:33]:
> >> I don't know if my application endpoint is explicitly secured by
> >> Shib SP or not.
> >Well, who else should know? You don't know and you also don't provide
> >any technical details.
> Well, "explicitly secured" sounded like a specific technical thing

I would have understood it in that way, yes. Meaning active protection
or at least passive/lazy sessions, as per the software's documentation:

> For example, my SP does not automatically intercept web requests to
> my app's endpoints. However, I have a decorator in my endpoints that
> redirects to the SP whenever an endpoint is accessed and there's no
> shib session.

While that's relevant to a certain degree it does not help to
determine whether the SP software actually is invoked for requests
that go to httpd. Only if that's the case will the attributes be

(REMOTE_USER will only have a value if at least one of the exact
attribute-ids mapped to it in shibboleth2.xml is available, but I'll
assume you have already checked that with your transaction.log.)

> I didn't provide any technical details because I didn't just want to
> puke all my configurations on this message, and my configs are on a
> secure server; getting them out is not easy.

Let's pretend there's a middle ground between pasting the whole config
here without without any discrimination and making some rough
statements about what you've done (e.g. "I've installed and configured
the software according to the docs and protected some resournce on my
server following the example from the wiki page XYZ.")

> >* Tony Ennis <tennis at> [2018-07-17 21:46]:
> >> I am using Apache and Shib SP for SSO, and Flask/uwsgi to serve my application.
> [...]
> >> My nginx-powered endpoint checks for a Shib cookie and if not
> >> present in the http request, redirects to the Shib login.
> >So you're running both Apache httpd *and* Nginx for the same resource?
> >Why? The Shib SP can be used with Nginx, too, if you positively
> >require Nginx but not httpd.
> Not your problem, but that's how the container was delivered to me
> by the devops team.

Indeed, none of this here is my problem.

Then why am I commenting on this: You're asking for help here. And you
may just be doing something that cannot possibly work. No way for me
to tell without any specifics, but running 2 full-blown web servers on
the same machine is a warning sign if I ever saw one.

> I did add your config, thank you for that. After restarting, I did
> not see a difference in the logs. But I suspect my logs are not
> configured properly as I never see any particularly detailed data. I
> see DEBUG level, which is supposed to be pretty spammy. Instead, I
> see one-liners that pretty much say, "This shib endpoint was
> called".

Note that I was referring to httpd log files, not the Shib SP's logs.
Are you saying you don't have access to httpd logs, either?

So I'd make sure:

* my transaction.log says that it revieced and mapped an attribute
  with the exact id that I have configured in the SP's REMOTE_USER
  predecence list.
  (otherwise also check for lines with "skipping" in shibd.log)

* you access a resource you have configured in httpd to be "protected"
  by the Shib SP, at least lazily ("auth shibboleth" and "require

* that httpd's access log shows something other than " - - " for the
  authenticated subject (assuming common log format).

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
Confidentiality Notice: This message and any attachments are for the sole use of the intended recipient(s), and may contain information considered confidential or privileged by the sending organization or trade secrets of the sending organization. This message does not authorize the intended recipient to disclose this information to any other party. Use, disclosure, or retention of any information in this message by anyone other than the intended user is strictly prohibited, unless otherwise authorized in writing. If you are not the intended recipient, please destroy all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list