Search code examples
javaapachesingle-sign-onshibbolethajp

Shibboleth SP - Reading assertion attributes from Java


I understand that configured attributes will be stored as environment variables by default and will be accessible like

request.getAttribute("Shib-Identity-Provider")

I tried that and after some googling I understood that to access them in Java through AJP.

I need to prefix this

<ApplicationDefaults id="default" policyId="default"
    entityID="https://idp.example.org"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="false" encryption="false" attributePrefix="AJP_">

I did that but I still keep getting null in my Java application

  • Shib-Identity-Provider - null
  • Shib-Session-ID - null
  • Shib-Application-ID - null

Could someone help me figure out what I am missing to make it work?


Solution

    1. Make sure you have this field in you attribute map file.

      1.1 And idP has to send the attribute too.

    2. Since you have attribute prefix as "AJP_" your attributes will be coming as "AJP_attributeName" (This can vary too)

      2.1 You have to open up your AJP port which usually listens on 8009 and redirect the /secure path to AJP. You have to do this in apache to forward proxy as AJP.

      2.2 In your servlet/handler of /secure path try getting attribute as request.getHeader("AJP_attrName").

      (Can try following too if this does not work a. reqest.getAttribute("attr") b. reqest.getAttribute("AJP_attr") c. header.getAttribute("attr") c. header.getAttribute("AJP_attr"). I am telling you to try out this because I have done this long time ago and I am not sure about exact method.)