Get back user name

Joshua Hunter joshua at
Wed Dec 2 21:26:16 UTC 2020


I totally get this isn't something we would do for real.  What I'm planning is something like this:

* The user admin will setup whatever service provider and web server they like (though we'll have a recommended config with apache/shibboleth) to sit in front of our application. As long as it sets a known header we shouldn't care.
* The user admin will return a value from the IdP that identifies the user logging in (unique id, email, whatever).
* The SP then pushes that value into the known header.
* In our application the admin will have a field they can fill called something like SAML ID. That will be a unique value for each user that matches whatever they are getting back from their IdP.
* We'll use the value in the header to match with a user in our application via the 'SAML ID' value. From there we can set permissions and records access based on our internal user information.

For my testing, I just need a unique value in a header so that I can write the code to handle the user in the session.

Am I off base? I'm more than open to any suggestions.

Thank you for your help. I appreciate your time.


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, December 2, 2020 1:05 PM
To: Shib Users <users at>
Subject: RE: Get back user name

> I know this is super basic, but I need some hand holding. We are going 
> to support SAML in our app. We will pass in the values via headers 
> (yes, I know, security, but there isn't any good integration with any 
> web server with our application framework).  How can I get the user 
> name entered in the IdP into the headers the SP is providing to Apache?

Since I don't know what you don't know, and while I won't really be able to help much on list for free, I did just want to say that unless that question is just purely in the context of testing, that's not really something you do. Not in SAML and not in any other identity protocol. What the user enters into the IdP has more or less nothing to do with the ways users need to be identified in applications or between organizations. What the user can enter is a local detail.

The question has a pathological "this is how to do that specific thing" answer, it's just that that thing isn't something real systems do.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list