Monday, September 19, 2011

Shibboleth Attributes: What am I getting???

Sometimes it's necessary to know exactly what attributes are being sent by Shibboleth.  It may be that you need to know the names of the attributes themselves, or maybe your business rules require knowledge of what institution the incoming users are with, or even what they had for breakfast that morning...

But how to tell what you're getting?

Well, there's a page you can visit on your Shibboleth server that will tell you exactly what attributes and values are being sent.  Nice, huh?  Problem is there's a little bit of configuration you have to do.

Open your shibboleth2.xml file.

Within that file there should be some Handler tags.  Each of these tags allows Shibboleth to display specific pages with specific details on them.  Session displays the attribute values we want.  You can also use the Status handler for diagnostic purposes, but this information is tightly controlled so you'd need to set the acl attribute of that element to the IP address of the machine you want to view it from.

To see your attributes, just navigate to

https://[domainname]/Shibboleth.sso/Session

That will display the attributes being passed.  You could replace Session with Status to see SAML information about your configuration.

No comments:

Post a Comment