THANK YOU, that pointed me in the right direction.

I now see my variables.


From: Aaron Coburn []
Sent: Friday, October 14, 2011 1:21 PM
Subject: Re: $_SERVER variables for use in Shibauth

you should start by making sure that apache is configured to enable shibboleth 
authentication on the shibauth directory.

For example:

<Location /shibauth>
            AuthType shibboleth
            ShibRequestSetting requireSession 1
            require valid-user

On Oct 14, 2011, at 12:54 PM, Yannick Charbonneau wrote:


I added at the top of shibauth/index.php (for debug purposes);

mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER['SERVER_NAME'], '', $mailParams); and 
I get the correct value in an email sent to admin.  But, again when I put;

mail(ERROREMAIL, "DEBUG EMAIL", $_SERVER['mail'], '', $mailParams); I get an 
empty email.

So it looks like shibauth/index.php is getting some, but not all variables.

I'm not sure if this is a vcl, php, apache or shib issue.

Thanks for your help.


From: Aaron Coburn []
Sent: Friday, October 14, 2011 12:46 PM
Subject: Re: $_SERVER variables for use in Shibauth

what you describe is correct regarding how eppn is split on the @ character. It 
is possible to modify the shibauth/index.php script to use just 
$_SERVER['mail']; you will need to make a good number of modifications 
throughout the file, though.

But I would really recommend asking the admin of your IdP to release the 
appropriate set of attributes to the SP running the VCL. That includes at a 
minimum: eppn, affiliation and mail, plus either sn and givenName or 
displayName. The IdP admin should be able to set up an AttributeFilterPolicy 
specifically for your application so it won't affect which attributes are 
released to any other SP.

I would also be cautious about using the mail value in place of eppn -- at our 
institution, at least, I cannot rely on any necessary correspondence between 
the two (even though in most cases they are equivalent).


On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote:


Here is what I'm trying to do;

(I know, it's ugly)

Our IDP doesn't return eppn, but returns "mail" (email address of authenticated 

I've modified the code (shibauth/index.php) to use $_SERVER['mail'] as opposed 
to $_SERVER['eppn'].  This is the only value I'm trying to get in 
shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ 
and puts the first part in $username before inserting into user table.  I get 
users with names of "@", which causes all sorts of problems.

My test php script displays $_SERVER['mail'] with the correct value in it, 
however, vcl does NOT appear to get this value.


From: Aaron Coburn []
Sent: Friday, October 14, 2011 11:42 AM
Subject: Re: $_SERVER variables for use in Shibauth

the shib-related $_SERVER vars will be empty outside the shib-protected 
directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. the 
same directory you put your test PHP page)?


On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote:

Hi All,

Still working on my Shibboleth integration.

For some unknown reason within vcl my $_SERVER variables are empty.  I have a 
php test page which displays the values and I can see them.  But within VCL, 

Anybody seen this before?



Reply via email to