default_shib_attributes and REMOTE_USER about django-shibboleth-remoteuser HOT 9 CLOSED

it doesn't need to be Shobboleth-eppn but it should be whatever your SP configuration is setup to return as the eppn. In my environment i don't need the Shiibboleth prefix at all since the SP is configured to return the unique username as the eppn variable.

from django-shibboleth-remoteuser.

I think your answer helps illustrate my point. :) I'm suggesting that since the SP configurations vary, best not to hard-code assumptions like "Shibboleth-eppn" or "eppn". REMOTE_USER will be set to the username as well won't it? So why not just use that?

from django-shibboleth-remoteuser.

Does mod_shib / Apache set REMOTE_USER in this case? I'm guessing it does, but I'm not sure if that would also be the case with an nginx server setup, for example. I'm brand new to Shibboleth, so it is quite possible I'm wrong, just thinking out loud.

from django-shibboleth-remoteuser.

Yes, in Apache I am getting REMOTE_USER. That's an old CGI standard, not specific to Apache. But good point, nginx might require a "proxy_set_header REMOTE_USER $remote_user;". Elsewhere, REMOTE_USER is assumed in Django documentation: https://docs.djangoproject.com/en/1.9/howto/auth-remote-user/

from django-shibboleth-remoteuser.

It comes down to a bit of what FlipperPa writes. Shib does set Remote_User but i am not sure you can say it will always set it or that it is the only possible thing that will set it. Remote_User is part of HTTP, where as eppn is part of the SAML (Security Assertion Markup Language)

from django-shibboleth-remoteuser.

In shibboleth2.xml, I have:

<ApplicationDefaults ... REMOTE_USER="upn"

So that's where I got the idea that the default_shib_attributes configuration is redundant; I've already specified what SAML attribute maps to REMOTE_USER, and I shouldn't have to repeat that configuration again for django-shibboleth-remoteuser.

from django-shibboleth-remoteuser.

If all you care about is username from shibboleth then it is probably ok to do that. I'm not going to argue with you on that point, but normally you get back more than just username so it would be a matter of being consistent.

from django-shibboleth-remoteuser.

I like the idea of switching the default to be "REMOTE_USER" for the username. In the middleware, when we grab the username from the request META, we use self.header, which defaults to REMOTE_USER in django:
username = request.META[self.header]

Of course, we're just talking about the default here - the Shib attributes can be set differently, and the default self.header can be changed also.

Any objections to making this change?

from django-shibboleth-remoteuser.

I was just going to give up, thanks @bcail. Think of this situation: Someone like me has never used Shibboleth/SAML/etc before, has to try to get something up and running for a client. With this change, the default_shib_attributes will "just work" right away, albeit just for one field. Then they can set up their own attributes and add the other fields they need.

from django-shibboleth-remoteuser.