Reputation: 4885
Shibboleth return username as HTTP Header instead of SAML attribute
Shibboleth IDP and SP are talking great and the data I need is in the SAML.
What configuration is required for allowing shibboleth to return an HTTP Header with the info I need(yes I know it's a bad idea but don't have a choice).
I'm running SP 2.6 on IIS and need an HTTP Header with the username in the shibboleth3 IDP response.
Here's what I've tried for attribute-map.xml
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
And it provides me with this data in the SAML
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Due to the software I'm working with I need the username in the HTTP Header.
Upvotes: 0
Views: 4066
Answers (1)
Reputation: 587
You can't have the Identity Provider release an HTTP header. That is not SAML Web Browser SSO profile.
You already have the middleware you are talking about, it's the Shibboleth Service Provider, and if your attribute-map.xml file is correct, you will be able to access the attributes from your application logic either as env variables or http headers as described here
An example for how an attribute is mapped to an HTTP header follows:
Let's say you
release the attribute with SAML name
urn:oid:1.3.6.1.4.1.5923.1.1.1.6from the IdP and thatin your SP attribute-map.xml you have an attribute decoder like:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Taking into consideration that
When using headers, the main difference is that instead of using the names defined via the mapping process, the application must prefix them with "HTTP_", and in most tools upcase the rest of the name as well.
The HTTP header will eventually be HTTP_NETID
As to how you can read the header values, as described in this thread,
To iterate through all that are passed:
foreach (string key in Request.ServerVariables.AllKeys)To reference a specific value:
value = Request.ServerVariables[key];
Upvotes: 3
Related Questions
- Is it possible to capture the Shibboleth Authenticated Username?
- How to configure Shibboleth2 to send SAML response via header to app
- Signing auth request in shibboleth SP
- How to identify a user from SAML Response?
- Obtaining the user's name from a SAML response in Go
- How should I extract a username from a SAML response?
- Shibboleth not appending any nameid to SAML response
- SAML Request Attributes In AuthnRequest
- shibboleth SAML released attributes not in HTTP header
- CAS and Shibboleth Integration releasing Principal Name (Username) as an attribute in SAML