idpSession with emailAddress NameID
Szerb, Tamas
toma at rulez.org
Thu Jul 3 09:42:01 EDT 2014
I believe that also impacts the
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
and
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
kind of NameIDs, and the transient can be "fixed" to set the TTL to quite
low, so I'd consider this a bug.
Cheers,
Tamas
VWOL
Tamas SZERB <toma at rulez.org>
On Thu, Jul 3, 2014 at 3:35 PM, Szerb, Tamas <toma at rulez.org> wrote:
> Hello,
>
> I have just ran into the issue, that with the same
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> if the user logs in then cannot log out because of getting
> urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
> status message.
>
> This is clearly because of the
>
>
> http://svn.shibboleth.net/view/java-shib-idp2/tags/2.4.0/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SLOProfileHandler.java?revision=3172&view=markup
>
> 255 // Get session corresponding to NameID. This is limited to one
> session, which means
> 256 // we can't know if more than one might have been issued for a
> particular NameID.
> 257 SessionManager<Session> sessionManager = getSessionManager();
> 258
> String nameIDIndex =
> getSessionIndexFromNameID(requestContext.getSubjectNameIdentifier());
> 259 log.debug("Querying SessionManager based on NameID '{}'", nameIDIndex);
> 260 Session indexedSession = sessionManager.getSession(nameIDIndex);
>
> My question, how to remediate it. We can only use emailAddress at this
> time (and SAML standard), and I believe this use case is quite typical. I
> also wonder why not having eg. JSESSIONID also used as a key with the
> NameID?
>
> Thanks,
>
> Tamas
>
> VWOL
> Tamas SZERB <toma at rulez.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140703/ba8e56d9/attachment-0001.html
More information about the users
mailing list