THANK YOU, that pointed me in the right direction. I now see my variables.
Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 1:21 PM To: email@example.com Subject: Re: $_SERVER variables for use in Shibauth Yanik, you should start by making sure that apache is configured to enable shibboleth authentication on the shibauth directory. For example: <Location /shibauth> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location> On Oct 14, 2011, at 12:54 PM, Yannick Charbonneau wrote: Thanks, I added at the top of shibauth/index.php (for debug purposes); mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER['SERVER_NAME'], '', $mailParams); and I get the correct value in an email sent to admin. But, again when I put; mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER['mail'], '', $mailParams); I get an empty email. So it looks like shibauth/index.php is getting some, but not all variables. I'm not sure if this is a vcl, php, apache or shib issue. Thanks for your help. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 12:46 PM To: firstname.lastname@example.org<mailto:email@example.com> Subject: Re: $_SERVER variables for use in Shibauth Yanik, what you describe is correct regarding how eppn is split on the @ character. It is possible to modify the shibauth/index.php script to use just $_SERVER['mail']; you will need to make a good number of modifications throughout the file, though. But I would really recommend asking the admin of your IdP to release the appropriate set of attributes to the SP running the VCL. That includes at a minimum: eppn, affiliation and mail, plus either sn and givenName or displayName. The IdP admin should be able to set up an AttributeFilterPolicy specifically for your application so it won't affect which attributes are released to any other SP. I would also be cautious about using the mail value in place of eppn -- at our institution, at least, I cannot rely on any necessary correspondence between the two (even though in most cases they are equivalent). Aaron On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote: Thanks. Here is what I'm trying to do; (I know, it's ugly) Our IDP doesn't return eppn, but returns "mail" (email address of authenticated user). I've modified the code (shibauth/index.php) to use $_SERVER['mail'] as opposed to $_SERVER['eppn']. This is the only value I'm trying to get in shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ and puts the first part in $username before inserting into user table. I get users with names of "@", which causes all sorts of problems. My test php script displays $_SERVER['mail'] with the correct value in it, however, vcl does NOT appear to get this value. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 11:42 AM To: firstname.lastname@example.org<mailto:email@example.com> Subject: Re: $_SERVER variables for use in Shibauth Yanik, the shib-related $_SERVER vars will be empty outside the shib-protected directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. the same directory you put your test PHP page)? Aaron On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote: Hi All, Still working on my Shibboleth integration. For some unknown reason within vcl my $_SERVER variables are empty. I have a php test page which displays the values and I can see them. But within VCL, empty. Anybody seen this before? Thanks Yanik