Login/Register
Shibboleth - How to read attributes?
Asked Answered
Solved attributesshibboleth
G

3

11

I'm successfully logging into my Service Provider test page with Shibboleth. I then go to the /Shibboleth.sso/Session page and I see the following:

Attributes
affiliation: 1 value(s)
entitlement: 1 value(s)
eppn: 1 value(s)
persistent-id: 1 value(s)
unscoped-affiliation: 1 value(s)

My question is... how do I go about reading these values? I don't see them in the HTTP Request header in Fiddler.

My web application will be implemented in ASP.NET MVC 4 (C#).

Gony answered 29/8, 2013 at 0:31 Comment(0)
C
10

You can read Shibboleth SAML attributes sent by the IdP using Request.ServerVariables object:

string server = Request.ServerVariables["HTTP_FIRSTNAME"];

See this if you want to list and print all the attributes in session.

Remember to configure Shibboleth attribute-map.xml to handle the custom attributes your IdP may send:

<Attribute name="firstname" id="firstname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
Caulis answered 29/8, 2013 at 9:29 Comment(0)
I
12

You can also set showAttributeValues to true in the Session handler in shibboleth2.xml. Note, this is not recommended in a production environment. Then restart the shibboleth service; the Attributes section of the Session page will include the actual values.

<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
Iconoclast answered 1/7, 2015 at 23:4 Comment(0)
C
10

You can read Shibboleth SAML attributes sent by the IdP using Request.ServerVariables object:

string server = Request.ServerVariables["HTTP_FIRSTNAME"];

See this if you want to list and print all the attributes in session.

Remember to configure Shibboleth attribute-map.xml to handle the custom attributes your IdP may send:

<Attribute name="firstname" id="firstname" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
Caulis answered 29/8, 2013 at 9:29 Comment(0)
A
1

since you mentioned fiddler, i'll go ahead and add (years after the question) that there is a really nice firefox browser add-on called "SAML tracer". (just search for "saml tracer" and you'll find the mozilla addons page for it.) once installed in firefox, you can open its window and it will show all http requests and responses. if anything has saml in it, it will indicate that with a "SAML" tag next to the url; then you can click on that url, choose the "SAML" tab, and read all of the saml that was sent between the idp or sp and your browser. it's a really great in-line troubleshooting tool, so you don't have to mess with anything on the sp and/or idp (or even have access to them).

Adornment answered 24/7, 2015 at 17:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.