Login across SPs, one IdP

Wed Sep 14 04:36:58 BST 2011

Hello,

I have one IdP and three SPs on different hosts.

idp.example.com
sp1.example.com
sp2.example.com
sp3.example.com

The three SPs are setup and the applications on them are properly protected
with Shib and redirect to the IdP for authentication as expected.

I would like to login to an application on sp1, and automatically be
authenticated when I login to the applications on the others - so the
authentication and attributes span across the domain.  This was working with
an OpenAM IdP using a federation, but I have been unable to replicate this
with a Shib IdP.  After authenticating by accessing an application on an SP,
accessing an application on a different SP redirects to the IdP for login;
for lazy sessions it does nothing.  It doesn't recognize the Shib session
authentication and attributes from the login via the other SP.

Creating a federation following the directions here:

https://wiki.shibboleth.net/confluence/display/SHIB2/BuildAFederation

resulted in no change of behavior.  So, each of the SPs use the federation
metadata.  As far as I could tell from the directions, there was no change
required on the IdP for the federation.

Here are the things I tried:

* Even though I didn't see any specific changes required for the IdP in a
federation, I changed the relying party metadata to use the federation
metadata only.  But this seemed to work the same as specifying the metadata
for each provider separately.

* In shibboleth2.xml, added a domain name to cookieProps in order be sure
the cookie is shared across the domain, ie,

        <Sessions lifetime="28800"
          timeout="3600"
          checkAddress="false"
          handlerURL="/Shibboleth.sso"
          handlerSSL="true"
          cookieProps="; domain=example.com; path=/; secure"
          exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
          idpHistory="false"
          idpHistoryDays="7">

* All attributes are allowed to pass as specified in attribute-policy.xml by
each SP

* Disabled the security rule for testing, ie,
    <SecurityPolicies>
        <Policy id="default" validate="false">
            <PolicyRule type="NullSecurity"/>
        </Policy>
    </SecurityPolicies>

I have a php script that dumps the server variable and is protected by
Shib.  If I visit the script on an SP after logging into an application on a
different SP, the cookies _saml_idp and shibsession_* are present.  The shib
headers are present but empty.  No attributes are listed.  Going to
sp2/Shibboleth.sso/Session says there is not valid session.  I am using
tomcat (mod_jk).

Is there something that I'm missing for SPs sharing authentication and
attributes across a domain?  Any suggestion for me to try?

Any help would be much appreciated.

Thanks and have a nice day!

Charity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110913/a62e4999/attachment.html 