Commonly deployed Apache authentication modules exhibit a spectrum of capabilities for setting and managing environment variables with values asserted by an external provider. Some modules allow the deployer to map an asserted value to any environment variable name or label while others offer only limited capabilities such as setting a prefix.
Shibboleth Service Provider
The Shibboleth Service Provider (SP) XML Attribute Extractor, usually configured in the file
attribute-map.xml, allows the deployer to map a SAML attribute "on the wire" representation such as a URN to any environment variable. For example to map the SAML attribute with on the wire name
urn:oid:188.8.131.52 to the environment variable
ENV_OIS_NAME_GIVEN one would configure
If it is necessary to map from the on the wire SAML name to a second environment variable one can use a Template Attribute Resolver to add the second mapping:
The mod_auth_openidc module does not allow the deployer to map claim names to arbitrary environment variables. Only the prefix prepended to the environment variable can be modified (see the explanation for the configuration option OIDCClaimPrefix). For example the standard OIDC
given_name claim is mapped by default to
OIDC_CLAIM_given_name and only the prefix
OIDC_CLAIM can be changed using the OIDCClaimPrefix configuration option, and the change is in effect for all claims.
One may, however, use the mod_rewrite module to write additional environment variables based on those set by mod_auth_openidc. For example to map the given_name claim to OIDC_CLAIM_NAME_GIVEN, and similarly for family_name and middle_name, one may use the configuration
Note, however, that this approach only works in the ".htaccess" context (outside of that context the rewrite rules run before the mod_auth_openidc module has had a chance to populate the CGI environment variables). You may add that configuration to the existing file .../app/webroot/.htaccess, but be aware that it will be overwritten when you next upgrade COmanage.