IAM in Service Catalog
This document describes how the
HTTP_REMOTEUSER server environment variables are populated by a Service Provider (SP).
Most attributes released from an Identity Provider (IdP) to an SP need to be explicitly mapped to server environment variables in
attribute-map.xml before they are available for use within a web application. The
HTTP_REMOTEUSER variables are populated by a different mechanism.
REMOTE_USER is used on web servers that consume attributes from server variables and
HTTP_REMOTEUSER is used on web servers that consume attributes from HTTP headers. Server variables have always been the default and recommended configuration for Apache web servers. For Shibboleth SP v2.x on IIS, HTTP headers were the only method available. Beginning with Shibboleth SP v3.x on IIS, and the new native IIS module that ships with it, the default is now to use server variables, although it can be configured to use HTTP headers (not recommended). An updated version of the IIS ISAPI module also ships with v3 and it only works with HTTP headers (not recommended). For more information on this topic, see the IIS page on the Shibboleth project's wiki.
For an example SP with an entity ID of
shibboleth2.xml file looks like so:
This configuration specifies a space delimited list of attribute IDs/aliases to look for in a session's cache of attributes. The first one found with a value is set as
HTTP_REMOTEUSER, depending on your web server platform. Note that eppn, persistent-id and targeted-id are predefined in
attribute-map.xml so that the SP understands what value to store in
Since eppn is released by the UW IdP to any SPs in the
uw.edu DNS domains, the
REMOTE_USER/HTTP_REMOTEUSER variable is normally populated with the eppn value. For more information on eppn, see Guide to NameID Formats and Attributes Available from the UW IdP. If eppn is the only attribute you need for your application, you won't need to configure anything in your
attribute-map.xml file. If your SP isn't in the
uw.edu DNS domains and you are expecting to get eppn in
HTTP_REMOTEUSER, you will need to request eppn from the UW IdP.
You can modify which attribute is used to populate
HTTP_REMOTEUSER by editing your ApplicationDefaults. For example, if you wanted the UW NetID to be used instead of eppn use the following:
In order for this to work, you will first need to configure an attribute mapping for "uwnetid" since a default SP install doesn't have information about this attribute. See Configure a Service Provider to Use Attributes for help.