We were able to help the Vet School get one of their ColdFusion servers up and running with Shibboleth support. There were a few issues along the way. These notes should help anyone else coming along and trying to do a similar installation.
Their platform was: Windows Server 2012, running Apache httpd 2.4, and Coldfusion 11 using the mod_jk connector in under Apache.
Secure test page
They used an index.cfm file in their /secure/ test directory to show the passed Shibboleth variables. That code looks like this:
<html> <body> Shibboleth is working. <br /> <br /> Variables: <br /> <cfoutput> REMOTE_USER: #cgi.remote_user#<br /> eppn: #CGI.SHIB_EPPN#<br /> campusPermanentId: #cgi.SHIB_CPID#<br /> affiliation: #cgi.SHIB_UNAFFILIATION#<br /> </cfoutput> </body> </html>
What we found is that the cgi.remote_user was being passed to CF just fine, but the other three variables were missing from the output.
To debug this problem, first we looked at the /var/log/shibboleth/transaction.log file. There we observed that shibd was indeed decoding all of the attributes correctly. It was just CF that was not able to read them from the environment.
A google search turned up this bug report on CF environment variables. The issue appears to be that newer version of ColdFusion and/or the mod_jk connector will only pass specific variables in the environment. In order to get Shibboleth attributes to pass, we have to add extra configuration lines to the apache config files. They added these lines to their mod_jk.conf:
JkEnvVar SHIB_EPPN JkEnvVar SHIB_CPID JkEnvVar SHIB_UNAFFILIATION
After restarting Apache and the ColdFusion engine, the test page now shows all four of the passed variables.