iiscoldfusioncgisamlshibboleth

ColdFusion / Shibboleth - REMOTE_USER


I have a ColdFusion application being hosted on my IIS server. I added the Shibboleth service to my web IIS, and the CGI/Filters are setup to use it. I added my application to the testshib federation and was able to login successfully. Now I'm trying to get the session variable into the ColdFusion code.

When I dump the CGI scope, I see the shibboleth session is saved under HTTP_COOKIE, but REMOTE_USER is an empty string. This is because REMOTE_USER cannot be used according to the docs. Instead the request header variable should be named HTTP_REMOTE_USER, but I don't see that in the CGI dump. Does anyone why this is? Do I have to set that up my shibboleth attribute-map or in ColdFusion ?

index.cfm

CGI dUMP
<cfdump var = "#cgi#" > 
<br>HTTP_REMOTE_USER
<cfdump var="#CGI.HTTP_REMOTE_USER#">
<br>Get Request
<cfset x = GetHttpRequestData()> 
<cfdump var="x">

Dump result

HTTP_COOKIE:_shibsession_64656487474733a2f2f6465736f6d2f73686962626f6c657468=_ecb60f7e4bf7616ab3522; 

Session

Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 224.61.30.228
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://idp.testshib.org/idp/shibboleth
Authentication Time: 2017-11-30T14:48:48.255Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
affiliation: 2 value(s)
entitlement: 1 value(s)
eppn: 1 value(s)
persistent-id: 1 value(s)
unscoped-affiliation: 2 value(s)

Solution

  • I believe that ColdFusion doesn't expose every possible CGI variable in the <cfdump>, only the most common ones. That doesn't mean you can't access what appear to be missing CGI variables directly. Try changing your dump to specifically target the one you need, like:

    <cfdump var="#CGI.HTTP_REMOTE_USER#">

    If it still isn't being written to the CGI scope, you might be able to access that specific request header variable through the the page request using getHTTPRequestData().