SP doesn't forward variables

Nate Klingenstein ndk at sudonym.me
Wed Oct 19 19:05:13 UTC 2022


We would have to know a lot more about your configuration to tell you for
sure, but given that the attributes are being set but not populated, the
most likely explanation by far is that you don't have the page itself
protected by Shibboleth.  Cookies will always be sent by the browser, but
attributes will not be provided to unprotected resources.

This can be done either in the httpd configuration or in shibboleth2.xml,
but it's generally cleaner to do it in the httpd configuration.

You can verify my hunch by placing a phpinfo page in a directory with a
/secure URL path and accessing it, or more preferably, look at the
configuration for /secure that the installer generated in
/etc/httpd/conf.d/shib.conf and port it appropriately to protect the URL
path for your page.

Hope this helps,

On Wed, Oct 19, 2022, 3:39 AM Samsamoddin Rajaei <
Samsamoddin.Rajaei at bsb-muenchen.de> wrote:

> Hello everybody,
> I am trying to connect our Vufind application with Shibboleth SP and can
> not get SP to forward environement variables back to Vufind.
> When in Vufind application I click the login link, I will be forwarded to
> the configured federation and then to our test-idp. After entering my
> credentials I will be forwarded back to my configured "sessionHook"-Page,
> where I output the phpinfo.
> In SP transaction log file I see following entries:
> New session (ID: _804ca556ed17194f42e849338182672f) with (applicationId:
> historicumtest) for principal from (IdP: ...) at (ClientAddress: ...) with
> (NameIdentifier: none) using (Protocol:
> urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
> _96593f1b531e459c466f3cf6702acb80)
> Cached the following attributes with session (ID:
> _804ca556ed17194f42e849338182672f) for (applicationId: historicumtest) {
>     uid (1 values)
>  targeted-id (1 values)
>  affiliation (1 values)
>  entitlement (1 values)
> }
> In phpinfo I can see different Shibboleth cookies among others the session
> cookie with the same id as in log file ( _shibsession_nnn=ID). But I don't
> see any of shibboleth statndard apache environement variables, like
> Shib-Application-ID and Shib-Identity-Provider nor anything of uid,
> targeted-id, affiliation and entitlement.
> How can I get uid, targeted-id ,... forwarded to my "sessionHook"-Page?
> Thank you for any hint.
> Sam
> Bavarian State library - Munich
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221019/cc6dfcbe/attachment.htm>

More information about the users mailing list