Antw: Re: SP doesn't forward variables

Samsamoddin Rajaei Samsamoddin.Rajaei at
Wed Oct 26 14:49:23 UTC 2022


thank you for your hints. They helped me to move forward 
The following Apache configuration

<LocationMatch "/(eg|gtn)/">
	<If "%{QUERY_STRING} =~ /auth_method=Shibboleth/">
			   AuthType shibboleth
			   Require shibboleth
			   ShibRequestSetting requireSession true
			   ShibUseHeaders On
< /LocationMatch>

is now able of sending desired Apache variabels to SP and I can see
them in our Vufind application but only on the page with
"?auth_method=Shibboleth". In other pages of the application (all under
<URL>/eg or <URL>/gtn) they aren't available. I want only the page
"<URL>/eg/?auth_method=Shibboleth" (and
"<URL>/gtn/?auth_method=Shibboleth") to be restricted, but I want other
pages to have access to the Apache variables too. Is it possible? How?

If I add 

AuthType shibboleth
Require shibboleth
< /Else>

to the configuration, then all pages are restricted and I will be
redirected to IDP when I try to visit any appliaction page.
Regards Sam
BTW I know that using of "ShibUseHeaders On" is not recommanded, but I
want to get the whole system running and then solve this problem. At the
moment without this parameter the variables are not sent.

>>> Nate Klingenstein <ndk at> 19.10.2022 21:05 >>>

We would have to know a lot more about your configuration to tell you
for sure, but given that the attributes are being set but not populated,
the most likely explanation by far is that you don't have the page
itself protected by Shibboleth. Cookies will always be sent by the
browser, but attributes will not be provided to unprotected resources.

This can be done either in the httpd configuration or in
shibboleth2.xml, but it's generally cleaner to do it in the httpd

You can verify my hunch by placing a phpinfo page in a directory with a
/secure URL path and accessing it, or more preferably, look at the
configuration for /secure that the installer generated in
/etc/httpd/conf.d/shib.conf and port it appropriately to protect the URL
path for your page.

Hope this helps,

On Wed, Oct 19, 2022, 3:39 AM Samsamoddin Rajaei
<Samsamoddin.Rajaei at> wrote:

Hello everybody,

I am trying to connect our Vufind application with Shibboleth SP and
can not get SP to forward environement variables back to Vufind. 
When in Vufind application I click the login link, I will be forwarded
to the configured federation and then to our test-idp. After entering my
credentials I will be forwarded back to my configured
"sessionHook"-Page, where I output the phpinfo.

In SP transaction log file I see following entries: 
New session (ID: _804ca556ed17194f42e849338182672f) with
(applicationId: historicumtest) for principal from (IdP: ...) at
(ClientAddress: ...) with (NameIdentifier: none) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
Cached the following attributes with session (ID:
_804ca556ed17194f42e849338182672f) for (applicationId: historicumtest)
uid (1 values) 
targeted-id (1 values) 
affiliation (1 values) 
entitlement (1 values) 
In phpinfo I can see different Shibboleth cookies among others the
session cookie with the same id as in log file ( _shibsession_nnn=ID).
But I don't see any of shibboleth statndard apache environement
variables, like Shib-Application-ID and Shib-Identity-Provider nor
anything of uid, targeted-id, affiliation and entitlement.
How can I get uid, targeted-id ,... forwarded to my
Thank you for any hint.
Bavarian State library - Munich
For Consortium Member technical support, see
To unsubscribe from this list send an email to
users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list