Shibboleth v1.8 Not Allowing Login

I did a little tracing through the code. It looks to me like our Shib/web hosting environment stores the Shibboleth username in $_SERVER[“uid”]. In plugin v1.7, it looks like the shibboleth_authenticate_user() function sets the $username variable based on this value.

However, it the v1.8 plugin, it looks like it’s trying to get the $_SERVER[“uid”] value via the getenv() function with a value of “UID”. This appears to set $username to a boolean “false” value. This is what appears to break the login.

I’m not quite sure how to fix this, except for suggesting pulling the value from $_SERVER again instead of using getenv(). However, the sites where this is happening are still on PHP v5.x. So I wonder if getenv() not getting the right data is a problem with PHP v5.x? Maybe upgrading to PHP v7 would get around this problem?

Thank you for reporting this issue. I’m looking into this now. Can you please cross post your issue to GitHub?

@jmdemuth, I’ve been reviewing this and I’m not seeing where the issue is coming in. I’ve just tested on PHP 5.6 without issue. According to the documentation on getenv():

This function is useful (compared to $_SERVER, $_ENV) because it searches $varname key in those array case-insensitive manner. For example on Windows $_SERVER[‘Path’] is like you see Capitalized, not ‘PATH’ as you expected. So just: <?php getenv(‘path’) ?>

I’m going to do some additional diagnostic work, but any additional details (operating system, SP configuration, web server, etc.) on your environment would be super helpful.

This was resolved with the release of version 1.8.1. You can see the full discussion on GitHub here: https://github.com/michaelryanmcneill/shibboleth/issues/7

This is just a follow-up: I did confirm with our web-hosting sysadmins that in our environment we restrict Apache from accessing environment variables for security reasons. This is why using getenv() (as opposed to $_SERVER) in the plugin failed to return any values (for us).