Shibboleth SP - What triggers redirection through Embedded Discovery Service?

Ken Weiss ken.weiss at
Fri May 9 19:11:23 EDT 2014

I looked at the documentation here:

I found this:

* cookieName(string)
* Rarely needed, this can be used to override part of the names used for
cookies maintained by the SP. The name is used in combination with other
values that are part of the SP implementation and not documented. It is
not meant to allow full control over the name but can be useful in some
scenarios in which virtual server domains overlap.

But I can't find anything more specific as to just how I can use
'cookieName' to handle "scenarios in which virtual server domains
overlap." And I'm not sure that describes my problem. I don't think my
domains overlap - I think they are different. I'm using canonical names in
my virtual host configuration in Apache, so as far as the browser is
concerned, and as far as Shibboleth is concerned, the server domains
should be and

Here's what I have in my <Sessions> element now:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps=";
path=/;secure; HttpOnly">

What would I want to adjust in order to get the cookies to work right and
avoid the EDS dance? Assuming that's the actual reason I'm getting routed
back to the Embedded Discovery Service...


Ken Weiss                                 ken.weiss at
UC Office of the President              510-587-6311 (office)
California Digital Library              916-905-6933 (mobile)
UC Curation Center
415 20th Street, 4th Floor
Oakland, CA 94612

On 5/9/14 3:56 PM, "Ken Weiss" <ken.weiss at> wrote:

>I do have application overrides in my shibboleth2.xml file, but they are
>just placeholders - I don't have any application specific configuration in
>them. So effectively, no, I'm not using them. But I could... Did you have
>something in mind?
>I'll look at the <Session> element and see if I can figure it out. Thanks
>for the pointer.
>Ken Weiss                                 ken.weiss at
>UC Office of the President              510-587-6311 (office)
>California Digital Library              916-905-6933 (mobile)
>UC Curation Center
>415 20th Street, 4th Floor
>Oakland, CA 94612
>On 5/9/14 3:31 PM, "Kevin Foote" <kpfoote at> wrote:
>>On May 9, 2014, at 2:46 PM, Ken Weiss <ken.weiss at> wrote:
>>> Steps 6 and 7 are the problem. I don't understand why my SP is sending
>>>the user back to EDS when they already have a valid Shibboleth session.
>>>Can anyone give me some clues as to how to even begin to debug and
>>>resolve this? Or is this an expected behavior - just part of the way we
>>>expect Shibboleth to behave when crossing from one DNS domain to
>>Very broad stab at your use case..
>>Is this a cookie domain mismatch issue?
>>If cookies are the issue you can probably adjust in the <Session>
>>You did not say explicitly but I think by your gloss-over of your
>>shib2.xml you are NOT using overrides.
>>Is that correct?
>> kevin.foote
>>To unsubscribe from this list send an email to
>>users-unsubscribe at
>To unsubscribe from this list send an email to
>users-unsubscribe at

More information about the users mailing list