...
| Info |
|---|
| If you are converting CUWebAuth to Shibboleth on a production server, edit shib.conf, set directive "ShibCompatValidUser" to "On" to avoid interruption to of CUWebAuth on your site. |
| Expand | ||
|---|---|---|
| ||
Download our sample attribute-map.xml and replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes. All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute "groups" is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group. |
...
By default, Shibboleth attributes that released to your shibboleth SP are available to your application as server environment variables, not available in HTTP headers. In your application, you should get authenticated user's netID from server variable REMOTE_USER.
...
https://wiki.shibboleth.net/confluence/display/SP3/AttributeAccess
If you have tomcat in your environment, since environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes, you'll need to add attributePrefix="AJP_" to the <ApplicationDefaults> element in your configuration:
Need Help?
contact idmgmt@cornell.edu
...