Geek Answers Handbook

Shibboleth - How to read attributes?

I successfully enter the test page of the service provider with Shibboleth. Then I go to the /Shibboleth.sso/Session page and I see the following:

Attributes affiliation: 1 value(s) entitlement: 1 value(s) eppn: 1 value(s) persistent-id: 1 value(s) unscoped-affiliation: 1 value(s)

My question is: how do I read these values? I do not see them in the header of the HTTP request in Fiddler.

My web application will be implemented in ASP.NET MVC 4 (C #).

+7
attributes shibboleth
source share
3 answers

You can read the SibL Shibboleth attributes sent by IdP using the Request.ServerVariables object :

 string server = Request.ServerVariables["HTTP_FIRSTNAME"];

See this one if you want to list and print all attributes in a session.

Remember to configure the Shibboleth attribute-map.xml to handle custom attributes that your IdP can send:

 <Attribute name="firstname" id="firstname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <AttributeDecoder xsi:type="StringAttributeDecoder"/> </Attribute>
+7
source share

You can also set showAttributeValues to true in the session handler in shibboleth2.xml . Please note that this is not recommended in a production environment. Then restart the shibboleth service; the Attributes section of the Session page will contain the actual values.

 <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+5
source share

since you mentioned the violinist, I will continue and add (years after the question) that there is a really nice Firefox browser add-on called "SAML tracer". (just search for "saml tracer" and you will find the Mozilla add-ons page for it). After installation in firefox, you can open its window and display all HTTP requests and responses. if there is something in it, it indicates that with the "SAML" tag next to the URL; then you can click on this url, select the β€œSAML” tab and read all the saml that were sent between idp or sp and your browser. This is a really great tool for troubleshooting network problems, so you don’t need to confuse anything with sp and / or idp (or even have access to them).

+1
source share

More articles:


All Articles