what you describe is correct regarding how eppn is split on the @ character. It
is possible to modify the shibauth/index.php script to use just
$_SERVER['mail']; you will need to make a good number of modifications
throughout the file, though.
But I would really recommend asking the admin of your IdP to release the
appropriate set of attributes to the SP running the VCL. That includes at a
minimum: eppn, affiliation and mail, plus either sn and givenName or
displayName. The IdP admin should be able to set up an AttributeFilterPolicy
specifically for your application so it won't affect which attributes are
released to any other SP.
I would also be cautious about using the mail value in place of eppn -- at our
institution, at least, I cannot rely on any necessary correspondence between
the two (even though in most cases they are equivalent).
On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote:
> Here is what I’m trying to do;
> (I know, it’s ugly)
> Our IDP doesn’t return eppn, but returns “mail” (email address of
> authenticated user).
> I’ve modified the code (shibauth/index.php) to use $_SERVER[‘mail’] as
> opposed to $_SERVER[‘eppn’]. This is the only value I’m trying to get in
> shibauth/index.php, if I understand the code, it splits eppn in 2 using the @
> and puts the first part in $username before inserting into user table. I get
> users with names of “@”, which causes all sorts of problems.
> My test php script displays $_SERVER[‘mail’] with the correct value in it,
> however, vcl does NOT appear to get this value.
> From: Aaron Coburn [mailto:acob...@amherst.edu]
> Sent: Friday, October 14, 2011 11:42 AM
> To: firstname.lastname@example.org
> Subject: Re: $_SERVER variables for use in Shibauth
> the shib-related $_SERVER vars will be empty outside the shib-protected
> directory (/shibauth). Are they empty in the /shibauth directory, too (i.e.
> the same directory you put your test PHP page)?
> On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote:
> Hi All,
> Still working on my Shibboleth integration.
> For some unknown reason within vcl my $_SERVER variables are empty. I have a
> php test page which displays the values and I can see them. But within VCL,
> Anybody seen this before?