Shibboleth SP Server variables in IIS

Cantor, Scott cantor.2 at
Thu Apr 23 15:23:16 EDT 2020

On 4/23/20, 2:50 PM, "users on behalf of user1630508" <users-bounces at on behalf of pgrandsard at> wrote:

> Are we talking past each other for what's considered a server variable?

I'm referring to the notion of a variable set by the server in the CGI environment that isn't derived from an HTTP request header. REMOTE_USER is an example. REMOTE_ADDR would be another.

Request headers are different and may appear to be accessible in a similar way, but they are distinct, and that's the meaning of the two flags in the configuration.

V2 on IIS only supported exporting data via headers. V3 supports both, at least where it seems to be possible to support both.

> With useVariables="true" useHeaders="false",
> Request.ServerVariables["HTTP_SHIBIDENTITYPROVIDER"] (or any HTTP_SHIB) is
> not passed back to to .net.

It's already there in the more secure form of  the variable called "Shib-Identity-Provider" that doesn't come from a faked request header generated on the server to get past the API limitations of ISAPI.

If you want names that match the old ones, those are headers and you have to turn headers back on. That's not advisable unless the code is simply unchangeable.

-- Scott

More information about the users mailing list