Shibboleth Developers

[Scott Cantor <>]

> Tomcat is getting the REMOTE_USER env var (confirmed via 
> snoop.jsp). But my test app only ever gets:
> 
>   HTTP_SHIB_EP_AFFILIATION == 
> ""

Presumably, there's an attribute command to map EPPN to REMOTE_USER? The 
template config files come that way, just checking though.

> Now it is a (mis-)feature of my local signon system that 
> REMOTE_USER is expressed as an unscoped userid, ie "rlmorgan" 
> rather than 
> ""
>  (or actually 
> ""
>  which is the official Kerb 
> principal).  It isn't clear to me whether the origin code is 
> expecting REMOTE_USER to be unscoped or not.

Unscoped. The echo context just appends the domain to the REMOTE_USER passed 
to Tomcat by your Web ISO. I hacked on it to at least
support other variables besides REMOTE_USER, but it still just cats them 
together.

> When I test using the Example U origin I also only get 
> member@, but I assume that's the way that origin is set.

Probably, but I'll check.

> So, any enlightenment here?  Are others successfully 
> releasing EPPN? Twould be nice to demo some apps that need userid.

I do it routinely here. When you say that Tomcat is getting REMOTE_USER, but 
your sample doesn't, what's your sample? If snoop.jsp
at a target sees EPPN in REMOTE_USER, I can't imagine why any other CGI 
script wouldn't.

>From the discussion about your local system, I wasn't sure if you were 
>talking an origin Tomcat or a target Tomcat.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--