Shibboleth return username as HTTP Header instead of SAML attribute

Question

Shibboleth IDP and SP are talking great and the data I need is in the SAML.

What configuration is required for allowing shibboleth to return an HTTP Header with the info I need(yes I know it's a bad idea but don't have a choice).

I'm running SP 2.6 on IIS and need an HTTP Header with the username in the shibboleth3 IDP response.

Here's what I've tried for attribute-map.xml

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

And it provides me with this data in the SAML

 <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="eduPersonPrincipalName"
                         Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xsd:string">me@school.edu</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>

Due to the software I'm working with I need the username in the HTTP Header.

Somehow you need to parse the assertion, get the required attribute, and send to your software in the http header. — Zeigeist, Sep 29 '16 at 22:46
Yeah I'm trying to avoid scripting middle-ware but I'm about at that point. — Eric Nord, Sep 30 '16 at 15:10

Yiannis Kakavas · Accepted Answer · 2016-10-19T09:22:38.900

You can't have the Identity Provider release an HTTP header. That is not SAML Web Browser SSO profile.

You already have the middleware you are talking about, it's the Shibboleth Service Provider, and if your attribute-map.xml file is correct, you will be able to access the attributes from your application logic either as env variables or http headers as described here

An example for how an attribute is mapped to an HTTP header follows:

Let's say you

release the attribute with SAML name urn:oid:1.3.6.1.4.1.5923.1.1.1.6 from the IdP and that
in your SP attribute-map.xml you have an attribute decoder like:

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Taking into consideration that

When using headers, the main difference is that instead of using the names defined via the mapping process, the application must prefix them with "HTTP_", and in most tools upcase the rest of the name as well.

The HTTP header will eventually be HTTP_NETID

As to how you can read the header values, as described in this thread,

To iterate through all that are passed:

foreach (string key in Request.ServerVariables.AllKeys)

To reference a specific value:

value = Request.ServerVariables[key];

Can you share a specific example of attribute-map.xml that maps the variable to an http header? — Eric Nord, Oct 18 '16 at 21:00
`Request.ServerVariables` is not `Request.Headers` - and newer versions of Shibboleth SP don't release attributes as http headers by default. You will find them in `ServerVariables` instead. You also can map field/s to `Request.ServerVariables["REMOTE_USER"]` easily now. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072162/NativeSPAttributeAccess (although the docs may be incorrect - if multiple fields get mapped to REMOTE_USER it may join the values with `;` instead of picking only the first value.) — nothingisnecessary, Apr 25 '23 at 21:10

Shibboleth return username as HTTP Header instead of SAML attribute

1 Answers1