shibboleth-dev - Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers
Subject: Shibboleth Developers
List archive
- From: Patrik Schnellmann <>
- To:
- Subject: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers
- Date: Thu, 24 Feb 2005 14:14:31 +0100
Hi all,
Actually, the problem has already been discussed on the shibboleth-users list (see: <https://mail.internet2.edu/wws/arc/shibboleth-users/2004-08/msg00269.html>). I'm bringing this up again because the problem has not been solved and I think there's a bug in the Shibboleth ISAPI filter.
My environment: Origin 1.1 (Debian), 1.2.1a Target on Windows 2003 Svr with IIS 6.
There are two HTTP headers that should be set, but they are not set (correctly). I should get the following:
HTTP_SHIB_SWISSEP_HOMEORGANIZATION : switch.ch
HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE : others
In fact, I get:
HTTP_SHIB_SWISSEP_HOMEORGANIZATION : (variable is not set)
HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE : switch.ch
If i change the AAP to map the Attributes to ...HOMEORGANIZATION to ...HOMEORGANIZATIONNAME, everything is fine and I get:
HTTP_SHIB_SWISSEP_HOMEORGANIZATIONNAME : switch.ch
HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE : others
This length of the header variables is not the problem. The problem is that the first variable HTTP_SHIB_SWISSEP_HOMEORGANIZATION to be set is a substring of HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE. So everyone on IIS using "HTTP_SHIB_"header names that are a substring of an other header name would have this problem.
I'd be happy if this misbehaviour could be corrected. For more configuration info see below (AAP and SAML Response snippets).
Patrik
The corresponding AAP entries are the following:
<AttributeRule Name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType" Header="Shib-SwissEP-HomeOrganizationType" Alias="homeOrganizationType">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
<AttributeRule Name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization" Header="Shib-SwissEP-HomeOrganization" Alias="homeOrganization">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
The relevant part of the SAML-Message, the server gets (extracted from HTTP_SHIB_ATTRIBUTES) is:
<Attribute AttributeName="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0">
<AttributeValue xsi:type="typens:AttributeValueType">others</AttributeValue>
</Attribute>
<Attribute AttributeName="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri" xmlns:typens="urn:mace:shibboleth:1.0">
<AttributeValue xsi:type="typens:AttributeValueType">switch.ch</AttributeValue>
</Attribute>
--
------- SWITCH - The Swiss Education & Research Network -------
Patrik Schnellmann NetServices http://www.switch.ch/
SWITCH, Neumuhlequai 6, P.O. Box, CH-8021 Zurich, Switzerland
E-mail:
Tel: +411 2539859 Fax: +4112539898
- Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Patrik Schnellmann, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Scott Cantor, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Scott Cantor, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Scott Cantor, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Patrik Schnellmann, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Scott Cantor, 02/24/2005
- RE: Shib SP 1.2.1a on IIS - Wrong mapping of Attributes to HTTP Headers, Patrik Schnellmann, 02/24/2005
Archive powered by MHonArc 2.6.16.