IdP SSO not working

Peter Schober peter.schober at univie.ac.at
Thu Feb 23 12:24:53 GMT 2012


* Sara Hopkins <sara.hopkins at ed.ac.uk> [2012-02-22 22:10]:
> They have three IdP servers behind a NetScaler load balancing
> solution. I must confess I know next to nothing about load
> balancers, but instinctively I'm tempted to look for the problem
> there. It looks to me as if it has to be something related to
> state. And one thing I have noticed in particular in their IdP log
> is that only one IP address is ever logged, which is their NetScaler
> IP address (a private IP on the 192.168 net). So every
> Shibboleth-Access, whether an SSO or an AttributeQuery, is being
> logged with that IP address.

Even if this was not the source of the problem I'd still strongly
recommend to the IdP owners to change this, as it makes debugging (or
simply effective end user support) and audits next to impossible.

In case the institution uses Apache httpd in front of the Java servlet
container the newly released Apache httpd 2.4.1 has a built-in module
to set the IP address for a connection based on an HTTP request header
(to be populated by the load balancer with the actual remote IP
address of the user agent), which trickles down to the IdP via AJP.
For Tomcat and other Java servlet containers acting as webservers
there are similar methods (e.g. with Tomcat involving "valves", IIRC).
-peter


More information about the users mailing list