Getting user info in IIS through request headers

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting user info in IIS through request headers

krzyspiak
Hi,

I am using IIS5 on a W2k server with Shibboleth installation v2.3.1. I have spoofchecking set to true and put in a random guid for spoofkey. I am able to properly redirect to the iDP and get authenticated. I am now sent back to the original SP page requested and want to grab the user information which is set. I am dumping the Request Servervariables:

<table>
<% For Each strKey In Request.ServerVariables %>
<tr>
<td><%= strKey %></td>
<td><%= Request.ServerVariables(strKey) %></td>
</tr>
<% Next %>
</table>

and do see some specific Shib session info such as:

HTTP_SHIBSPOOFCHECK 98888B6E-CDF1-4FCC-801F-F3985E4DC69A
HTTP_SHIBAPPLICATIONID default
HTTP_SHIBSESSIONID _943b828e143d273ab9b615b515a005e2
HTTP_SHIBIDENTITYPROVIDER https://xxxxxxx/idp/shibboleth
HTTP_SHIBAUTHENTICATIONINSTANT 2010-09-24T11:17:03.959Z
HTTP_SHIBAUTHNCONTEXTDECL urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

So I have the above amid some other normal request info, but nothing user specific like an expected HTTP_USERNAME or HEADER_USERNAME for example.
 
Am I looking in the right place? If so, is there somewhere in the config to set to allow the user information to be populated into the request object?

Any help or suggestions would be very much appreciated.

Thank you.

Rob
Reply | Threaded
Open this post in threaded view
|

RE: Getting user info in IIS through request headers

Cantor, Scott E.
> is set. I am dumping the Request Servervariables:

Do not use that collection.

See https://spaces.internet2.edu/display/SHIB2/secadv_20090615

I noticed that the example in the wiki is wrong on this, I'll fix it.

> and do see some specific Shib session info such as:
>
> HTTP_SHIBSPOOFCHECK 98888B6E-CDF1-4FCC-801F-F3985E4DC69A

Note that you've now leaked this to the world and need to change it.

https://spaces.internet2.edu/display/SHIB2/NativeSPSpoofChecking

You shouldn't need to set that key yourself in any case unless you're using Windows 2000.

> So I have the above amid some other normal request info, but nothing user
> specific like an expected HTTP_USERNAME or HEADER_USERNAME for example.

If you don't have any attributes, nothing else from the SP will be present. There are no default mappings to anything called Username, so that wouldn't be there unless you chose that mapping.

> Am I looking in the right place? If so, is there somewhere in the config to
> set to allow the user information to be populated into the request object?

https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess

> Any help or suggestions would be very much appreciated.

Read all the docs and check your logs for details on what you're receiving and how to configure the SP to do what you want with it.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Getting user info in IIS through request headers

krzyspiak
In reply to this post by krzyspiak
Thank you for responding. I did read that page
https://spaces.internet2.edu/display/SHIB2/secadv_20090615 and sorry if
I am missing something on how it should be done. My confusion is added
by one site/blog saying to use servervariables to access request
headers and another saying to not use it. I am using classic asp, so I
am just looking for an understanding or example of what I should use to
retreive those custom variables. I have looked around for examples but
am having difficulty finding the right answer that actually prints me
out the information I am looking for. So it is not for a lack of
effort, and I wouldn't post here without trying various things first :-)
If it is not servervariables, and the example in the wiki is wrong, can
you please suggest what is right to use in a classic asp page to get
that?
 
Btw, the USERNAME attribute I mentioned is an example of what to my
understanding is being set as a custom variable (iDP level) that I
should be able to read and cannot figure out how to read it. After
authentication I want to grab this user info to then check against a db
entry (SP level) and allow to log into the system automatically. This
way sensitive password info stays at the iDP side, and the SP can login
that user without seeing it.
 
Hope that makes sense, and thanks again for any suggestions.
 
Rob

On Fri, 24 Sep 2010 11:52:08 -0400, Scott Cantor wrote:

> is set. I am dumping the Request Servervariables:
>
> Do not use that collection.
>
> See https://spaces.internet2.edu/display/SHIB2/secadv_20090615
>
> I noticed that the example in the wiki is wrong on this, I'll fix it.
>
> > and do see some specific Shib session info such as:
> > > HTTP_SHIBSPOOFCHECK 98888B6E-CDF1-4FCC-801F-F3985E4DC69A
>
> Note that you've now leaked this to the world and need to change it.
>
> https://spaces.internet2.edu/display/SHIB2/NativeSPSpoofChecking
>
> You shouldn't need to set that key yourself in any case unless you're
> using Windows 2000.
>
> > So I have the above amid some other normal request info, but nothing user
> > specific like an expected HTTP_USERNAME or HEADER_USERNAME for example.
>
> If you don't have any attributes, nothing else from the SP will be
> present. There are no default mappings to anything called Username,
> so that wouldn't be there unless you chose that mapping.
>
> > Am I looking in the right place? If so, is there somewhere in the config to
> > set to allow the user information to be populated into the request object?
>
> https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess
>
> > Any help or suggestions would be very much appreciated.
>
> Read all the docs and check your logs for details on what you're
> receiving and how to configure the SP to do what you want with it.
>
> -- Scott
>
>
>
>

 
 

Reply | Threaded
Open this post in threaded view
|

RE: Getting user info in IIS through request headers

Cantor, Scott E.
> Thank you for responding. I did read that page
> https://spaces.internet2.edu/display/SHIB2/secadv_20090615 and sorry if
> I am missing something on how it should be done. My confusion is added
> by one site/blog saying to use servervariables to access request
> headers and another saying to not use it.

I have nothing to say about anything that isn't in the wiki, but the latest known information is there. We know that the ServerVariables collection created the last exposure, and that the Headers collection wasn't vulnerable, so we noted that as a best practice.

Both of them work, but unless there's a reason to use the one that caused problems before, I wouldn't do it.

> I am using classic asp, so I
> am just looking for an understanding or example of what I should use to
> retreive those custom variables.

Classic ASP is different, there's no Headers collection there. Request("HTTP_SHIB_IDENTITY_PROVIDER") and so forth is the only way I know of for that.

> If it is not servervariables, and the example in the wiki is wrong, can
> you please suggest what is right to use in a classic asp page to get
> that?

https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess

There's an example at the end.

> Btw, the USERNAME attribute I mentioned is an example of what to my
> understanding is being set as a custom variable (iDP level) that I
> should be able to read and cannot figure out how to read it.

The IdP sends you SAML attributes, which if done properly are named by URIs, and your SP maps them to headers using the attribute mapping functionality.

The mapping logic is documented in https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeExtractor but is very easy to understand from the attribute-map file included with the SP.

None of it matters unless you know exactly what the IdP is sending, which the logs can help determine if there is doubt about it.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Getting user info in IIS through request headers

krzyspiak
Wanted to follow up on this as the issue was resolved and was a
config issue. The custom variables were not being mapped in
attributes-map.xml which was not communicated to me as required by
the person on the iDP side and my limited experience with Shibboleth
did not make this immediately obvious. After some better
understanding, this was made clear to be missing and the custom
variable UID can be accessed by the expected Request("HTTP_UID")

Thanks.

Rob

At 01:47 PM 9/24/2010, Scott Cantor wrote:

> > Thank you for responding. I did read that page
> > https://spaces.internet2.edu/display/SHIB2/secadv_20090615 and sorry if
> > I am missing something on how it should be done. My confusion is added
> > by one site/blog saying to use servervariables to access request
> > headers and another saying to not use it.
>
>I have nothing to say about anything that isn't in the wiki, but the
>latest known information is there. We know that the ServerVariables
>collection created the last exposure, and that the Headers
>collection wasn't vulnerable, so we noted that as a best practice.
>
>Both of them work, but unless there's a reason to use the one that
>caused problems before, I wouldn't do it.
>
> > I am using classic asp, so I
> > am just looking for an understanding or example of what I should use to
> > retreive those custom variables.
>
>Classic ASP is different, there's no Headers collection there.
>Request("HTTP_SHIB_IDENTITY_PROVIDER") and so forth is the only way
>I know of for that.
>
> > If it is not servervariables, and the example in the wiki is wrong, can
> > you please suggest what is right to use in a classic asp page to get
> > that?
>
>https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess
>
>There's an example at the end.
>
> > Btw, the USERNAME attribute I mentioned is an example of what to my
> > understanding is being set as a custom variable (iDP level) that I
> > should be able to read and cannot figure out how to read it.
>
>The IdP sends you SAML attributes, which if done properly are named
>by URIs, and your SP maps them to headers using the attribute
>mapping functionality.
>
>The mapping logic is documented in
>https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeExtractor 
>  but is very easy to understand from the attribute-map file
>included with the SP.
>
>None of it matters unless you know exactly what the IdP is sending,
>which the logs can help determine if there is doubt about it.
>
>-- Scott