NetID Login Service - Server variables and mapped attributes

Once you've set up Shibboleth authentication for your web application, you can easily check which mapped Shibboleth attributes your application is receiving and the full list of server variables available to your application.

Attributes

Once you've authenticated into your web application and established a Shibboleth session, you can use the Shibboleth handler's Session property to get a summary of the values for the Session.  If your application were example.wisc.edu, you would access the Session info like this: https://example.wisc.edu/Shibboleth.sso/Session. By default, this will display the number of values the session has for each attribute, but it will not show the actual value of the attribute. To show the value of each attribute, configure the Session handler in Shibboleth2.xml such that showAttributeValues is true, as follows:


<Handler type="Session" Location="/Session" showAttributeValues="true"/>

HTTP Header Size Limit

In some cases the size of an HTTP request header sent to a webserver from the service provider may exceed its default size limit. HTTP header size is affected by things such as the amount of SAML attributes sent by your Shibboleth SP or client browsers sending their own headers. This can result in an HTTP 400 error when users try to access your site if the number of request headers exceeds your web server's limit. With the ever-growing size of HTTP headers it is recommended to increase the limits of what is acceptable, some further information can be found below:

Apache: The default HTTP header size is 8kb. To increase the limit, adjust the parameter LimitRequestFieldSize for the virtual host or other location in the Apache configuration. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize

IIS: Set MaxFieldLength and MaxRequestBytes registry entries so that the user's request headers don't exceed these values: https://learn.microsoft.com/en-US/troubleshoot/developer/webapps/iis/www-administration-management/http-bad-request-response-kerberos

Server Variables

To see the full list of server variables available to your application, place a dynamic page inside one of your application's directories that requires Shibboleth authentication and then access the page.

PHP

If you have PHP installed on your server you can use the following:

<html>
<head>
<title>Server Variables</title>
</head>
<body>

<?PHP

foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";
}

?>
</body>
</html>

ASP

For Windows, you can use an ASP page containing the following:

<html>

<head>
<title>Shibboleth Attributes - <%= Request.ServerVariables("SERVER_NAME") %></title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<script language"JavaScript" type="text/JavaScript">
<!--
function decodeAttributeResponse() {
var textarea = document.getElementById("attributeResponseArea");
var base64str = textarea.value;
var decodedMessage = decode64(base64str);
textarea.value = tidyXml(decodedMessage);
textarea.rows = 15;
document.getElementById("decodeButtonBlock").style.display='none';
}

function tidyXml(xmlMessage) {
//put newline before closing tags of values inside xml blocks
xmlMessage = xmlMessage.replace(/([^>])</g,"$1\n<");
//put newline after every tag
xmlMessage = xmlMessage.replace(/>/g,">\n");
var xmlMessageArray = xmlMessage.split("\n");
xmlMessage="";
var nestedLevel=0;
for (var n=0; n < xmlMessageArray.length; n++) {
if ( xmlMessageArray[n].search(/<\//) > -1 ) {
nestedLevel--;
}
for (i=0; i<nestedLevel; i++) {
xmlMessage+=" ";
}
xmlMessage+=xmlMessageArray[n]+"\n";
if ( xmlMessageArray[n].search(/\/>/) > -1 ) {
//level status the same
}
else if ( ( xmlMessageArray[n].search(/<\//) < 0 ) && (xmlMessageArray[n].search(/</) > -1) ) {
//only increment if this was a tag, not if it is a value
nestedLevel++;
}
}
return xmlMessage;
}

var base64Key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(encodedString) {
var decodedMessage = "";
var char1, char2, char3;
var enc1, enc2, enc3, enc4;
var i = 0;

//remove all characters that are not A-Z, a-z, 0-9, +, /, or =
encodedString = encodedString.replace(/[^A-Za-z0-9\+\/\=]/g, "");
do {
enc1 = base64Key.indexOf(encodedString.charAt(i++));
enc2 = base64Key.indexOf(encodedString.charAt(i++));
enc3 = base64Key.indexOf(encodedString.charAt(i++));
enc4 = base64Key.indexOf(encodedString.charAt(i++));

char1 = (enc1 << 2) | (enc2 >> 4);
char2 = ((enc2 & 15) << 4) | (enc3 >> 2);
char3 = ((enc3 & 3) << 6) | enc4;

decodedMessage = decodedMessage + String.fromCharCode(char1);
if (enc3 != 64) {
decodedMessage = decodedMessage + String.fromCharCode(char2);
}
if (enc4 != 64) {
decodedMessage = decodedMessage + String.fromCharCode(char3);
}
} while (i < encodedString.length);
return decodedMessage;
}
// -->

</script>
</head>


<body>

<b>-all SHIB headers-</b> (<code>HTTP_SHIB_ATTRIBUTES</code> is not shown in this list)

<table>
<% For Each strKey In Request.ServerVariables %>
<% if InStr(1, strKey, "SHIB", 1) and not strKey="HTTP_SHIB_ATTRIBUTES" then %>
<tr>
<td><%= strKey %></td>
<td><%= Request.ServerVariables(strKey) %></td>
</tr>

<% end if %>
<% Next %>
<tr><td>(REMOTE_USER)</td><td><%= Request.ServerVariables("REMOTE_USER") %></td></tr>
<tr><td>(HTTP_REMOTE_USER)</td><td><%= Request.ServerVariables("HTTP_REMOTE_USER") %></td></tr>

</table>
<br/>

attribute response from the IdP (<code>HTTP_SHIB_ATTRIBUTES</code>):<br/>
<textarea id="attributeResponseArea" onclick="select()" rows="1" cols="130"><%= Request.ServerVariables("HTTP_SHIB_ATTRIBUTES") %></textarea><br/>

<span id="decodeButtonBlock"><input type="button" id="decodeButton" value="decode base64 encoded attribute response using JavaScript" onClick="decodeAttributeResponse();"><br/></span>

<br/>

<small>
notes:<br/>
The AAP throws away invalid values (eg an unscopedAffiliation of value "myBoss@&lt;yourdomain&gt;" or a value with an invalid scope which scope is checked)<br/>

The raw attribute response (<code>HTTP_SHIB_ATTRIBUTES</code>) is NOT filtered by the AAP and should therefore be disabled for most applications (<code>exportAssertion=false</code>).<br/>
</small>


<br/>

<hr/>
<br/>


<table>
<% For Each strKey In Request.ServerVariables %>
<tr>
<td><%= strKey %></td>
<td><%= Request.ServerVariables(strKey) %></td>

</tr>
<% Next %>
</table>

</body>
</html>

Shell script

For Linux/Apache, you can place the following Shell script in your cgi-bin directory:


#!/bin/sh
echo Content-type: text/html
echo ""
/bin/cat <<EOM
<HTML>
<BODY text="#000000">
<PRE>
EOM

/bin/env
CAT <<EOM
</PRE>
</BODY>
</HTML>
EOM

Perl

If you have Perl installed, you can use the following:

#!/usr/bin/perl


print "Content-type: text/html\n\n";
print "<pre>\n";

foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
print "</pre>\n";


Keywordsnetid login service webiso server variables mapped attribute php asp shibboleth shib http header   Doc ID20432
OwnerMST SupportGroupIdentity and Access Management
Created2011-09-26 15:51:46Updated2023-02-16 10:26:54
SitesDoIT Help Desk, Identity and Access Management
Feedback  0   0