[External] Re: Can a Shibboleth service provider present itself as a SAML identity provider for federation?

Peter Schober peter.schober at univie.ac.at
Wed Apr 24 10:55:42 EDT 2019

* Graham Leggett <minfrin at sharp.fm> [2019-04-24 16:49]:
> Protecting an Apache httpd based resource is straightforward and
> easy to understand, however the java application behind needs full
> access to all the SSO metadata in order to know what groups and
> attributes the end user has. It’s not as simple as passing the

The term "metadata" in the context of SSO and SAML specifically means
something else. What you're talking about are "attributes" (sometimes
called "claims"), i.e., data about the subject that authenticated at
the IDP.
Both the documenteion for the SP (tooling examples -> Java) as well as
my previous post already pointed you to the "interface" you'd use, and
yes, it's exactly as simple as passing REMOTE_USER:
On the Jave side you'd use getRemoteUser() to get REMOTE_USER and
request.getAttribute() to get the attributes you're interested in.
(I.e., SAML Attributes become Request Attributes here, thanks to the
Shibboleth SP and AJP from httpd to the Java servlet container.)


More information about the users mailing list