NetID Login Service - Server variables and mapped attributes

Once you've set up Shibboleth authentication for your web application, you can easily check which mapped Shibboleth attributes your application is receiving and the full list of server variables available to your application.


Once you've authenticated into your web application and established a Shibboleth session, you can use the Shibboleth handler's Session property to get a summary of the values for the Session.  If your application were, you would access the Session info like this: By default, this will display the number of values the session has for each attribute, but it will not show the actual value of the attribute. To show the value of each attribute, configure the Session handler in Shibboleth2.xml such that showAttributeValues is true, as follows:

<Handler type="Session" Location="/Session" showAttributeValues="true"/>

Server Variables

To see the full list of server variables available to your application, place a dynamic page inside one of your application's directories that requires Shibboleth authentication and then access the page.


If you have PHP installed on your server you can use the following:

<title>Server Variables</title>


foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";



For Windows, you can use an ASP page containing the following:


<title>Shibboleth Attributes - <%= Request.ServerVariables("SERVER_NAME") %></title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<script language"JavaScript" type="text/JavaScript">
function decodeAttributeResponse() {
var textarea = document.getElementById("attributeResponseArea");
var base64str = textarea.value;
var decodedMessage = decode64(base64str);
textarea.value = tidyXml(decodedMessage);
textarea.rows = 15;

function tidyXml(xmlMessage) {
//put newline before closing tags of values inside xml blocks
xmlMessage = xmlMessage.replace(/([^>])</g,"$1\n<");
//put newline after every tag
xmlMessage = xmlMessage.replace(/>/g,">\n");
var xmlMessageArray = xmlMessage.split("\n");
var nestedLevel=0;
for (var n=0; n < xmlMessageArray.length; n++) {
if ( xmlMessageArray[n].search(/<\//) > -1 ) {
for (i=0; i<nestedLevel; i++) {
xmlMessage+=" ";
if ( xmlMessageArray[n].search(/\/>/) > -1 ) {
//level status the same
else if ( ( xmlMessageArray[n].search(/<\//) < 0 ) && (xmlMessageArray[n].search(/</) > -1) ) {
//only increment if this was a tag, not if it is a value
return xmlMessage;

var base64Key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(encodedString) {
var decodedMessage = "";
var char1, char2, char3;
var enc1, enc2, enc3, enc4;
var i = 0;

//remove all characters that are not A-Z, a-z, 0-9, +, /, or =
encodedString = encodedString.replace(/[^A-Za-z0-9\+\/\=]/g, "");
do {
enc1 = base64Key.indexOf(encodedString.charAt(i++));
enc2 = base64Key.indexOf(encodedString.charAt(i++));
enc3 = base64Key.indexOf(encodedString.charAt(i++));
enc4 = base64Key.indexOf(encodedString.charAt(i++));

char1 = (enc1 << 2) | (enc2 >> 4);
char2 = ((enc2 & 15) << 4) | (enc3 >> 2);
char3 = ((enc3 & 3) << 6) | enc4;

decodedMessage = decodedMessage + String.fromCharCode(char1);
if (enc3 != 64) {
decodedMessage = decodedMessage + String.fromCharCode(char2);
if (enc4 != 64) {
decodedMessage = decodedMessage + String.fromCharCode(char3);
} while (i < encodedString.length);
return decodedMessage;
// -->



<b>-all SHIB headers-</b> (<code>HTTP_SHIB_ATTRIBUTES</code> is not shown in this list)

<% For Each strKey In Request.ServerVariables %>
<% if InStr(1, strKey, "SHIB", 1) and not strKey="HTTP_SHIB_ATTRIBUTES" then %>
<td><%= strKey %></td>
<td><%= Request.ServerVariables(strKey) %></td>

<% end if %>
<% Next %>
<tr><td>(REMOTE_USER)</td><td><%= Request.ServerVariables("REMOTE_USER") %></td></tr>
<tr><td>(HTTP_REMOTE_USER)</td><td><%= Request.ServerVariables("HTTP_REMOTE_USER") %></td></tr>


attribute response from the IdP (<code>HTTP_SHIB_ATTRIBUTES</code>):<br/>
<textarea id="attributeResponseArea" onclick="select()" rows="1" cols="130"><%= Request.ServerVariables("HTTP_SHIB_ATTRIBUTES") %></textarea><br/>

<span id="decodeButtonBlock"><input type="button" id="decodeButton" value="decode base64 encoded attribute response using JavaScript" onClick="decodeAttributeResponse();"><br/></span>


The AAP throws away invalid values (eg an unscopedAffiliation of value "myBoss@&lt;yourdomain&gt;" or a value with an invalid scope which scope is checked)<br/>

The raw attribute response (<code>HTTP_SHIB_ATTRIBUTES</code>) is NOT filtered by the AAP and should therefore be disabled for most applications (<code>exportAssertion=false</code>).<br/>



<% For Each strKey In Request.ServerVariables %>
<td><%= strKey %></td>
<td><%= Request.ServerVariables(strKey) %></td>

<% Next %>


Shell script

For Linux/Apache, you can place the following Shell script in your cgi-bin directory:

echo Content-type: text/html
echo ""
/bin/cat <<EOM
<BODY text="#000000">



If you have Perl installed, you can use the following:


print "Content-type: text/html\n\n";
print "<pre>\n";

foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
print "</pre>\n";

Keywords:netid login service webiso server variables mapped attribute php asp shibboleth shib   Doc ID:20432
Owner:MST Support .Group:Identity and Access Management
Created:2011-09-26 14:51 CSTUpdated:2022-05-25 14:15 CST
Sites:DoIT Help Desk, Identity and Access Management
Feedback:  0   0