Yanik,
you should start by making sure that apache is configured to enable shibboleth 
authentication on the shibauth directory. 

For example:

<Location /shibauth>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        require valid-user
</Location>



On Oct 14, 2011, at 12:54 PM, Yannick Charbonneau wrote:

> Thanks,
>  
> I added at the top of shibauth/index.php (for debug purposes);
>  
> mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER['SERVER_NAME'], '', $mailParams); 
> and I get the correct value in an email sent to admin.  But, again when I put;
>  
> mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER[‘mail’], '', $mailParams); I get an 
> empty email.
>  
> So it looks like shibauth/index.php is getting some, but not all variables.
>  
> I’m not sure if this is a vcl, php, apache or shib issue.
>  
> Thanks for your help.
>  
> Yanik
>  
> From: Aaron Coburn [mailto:acob...@amherst.edu] 
> Sent: Friday, October 14, 2011 12:46 PM
> To: vcl-user@incubator.apache.org
> Subject: Re: $_SERVER variables for use in Shibauth
>  
> Yanik,
> what you describe is correct regarding how eppn is split on the @ character. 
> It is possible to modify the shibauth/index.php script to use just 
> $_SERVER['mail']; you will need to make a good number of modifications 
> throughout the file, though.
>  
> But I would really recommend asking the admin of your IdP to release the 
> appropriate set of attributes to the SP running the VCL. That includes at a 
> minimum: eppn, affiliation and mail, plus either sn and givenName or 
> displayName. The IdP admin should be able to set up an AttributeFilterPolicy 
> specifically for your application so it won't affect which attributes are 
> released to any other SP. 
>  
> I would also be cautious about using the mail value in place of eppn -- at 
> our institution, at least, I cannot rely on any necessary correspondence 
> between the two (even though in most cases they are equivalent).
>  
> Aaron
>  
>  
>  
>  
> On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote:
> 
> 
> Thanks.
>  
> Here is what I’m trying to do;
>  
> (I know, it’s ugly)
>  
> Our IDP doesn’t return eppn, but returns “mail” (email address of 
> authenticated user).
>  
> I’ve modified the code (shibauth/index.php) to use $_SERVER[‘mail’] as 
> opposed to $_SERVER[‘eppn’].  This is the only value I’m trying to get in 
> shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ 
> and puts the first part in $username before inserting into user table.  I get 
> users with names of “@”, which causes all sorts of problems.
>  
> My test php script displays $_SERVER[‘mail’] with the correct value in it, 
> however, vcl does NOT appear to get this value.
>  
> Yanik
>  
> From: Aaron Coburn [mailto:acob...@amherst.edu] 
> Sent: Friday, October 14, 2011 11:42 AM
> To: vcl-user@incubator.apache.org
> Subject: Re: $_SERVER variables for use in Shibauth
>  
> Yanik,
> the shib-related $_SERVER vars will be empty outside the shib-protected 
> directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. 
> the same directory you put your test PHP page)?
>  
> Aaron
>  
> On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote:
> 
> 
> 
> Hi All,
>  
> Still working on my Shibboleth integration.
>  
> For some unknown reason within vcl my $_SERVER variables are empty.  I have a 
> php test page which displays the values and I can see them.  But within VCL, 
> empty.
>  
> Anybody seen this before?
>  
> Thanks
>  
> Yanik
>  
>  

Reply via email to