IDP v3 Double Login

McKean, Brandon Scott - mckeanbs mckeanbs at jmu.edu
Tue Aug 4 12:44:23 EDT 2015 

Either the SP is making a second request or it's not. If a double login is happening entirely within a single request to the IdP, then the SP obviously isn't even involved. If the SP is involved, then whatever they made it do is something that they should be able to identify, but it's nothing the SP does intrinsically.

I think I understand what you mean here. From what I can tell from the logs, it goes through all the way through to "record response complete", and then it starts anew with another AttributeQuery. Am I understanding correctly that that portion is another request to it?

Since I have no idea what either end is really doing, I certainly couldn't say anything about how to fix it. If the SP is making two requests, then there should be a meaningful difference between them (like one specifying IsPassive and the other not). If there's a difference, then it can be determined what bug might be getting triggered or if there's a misconfiguration.

Unfortunately there doesn't seem to be a difference between them at that portion.


Brandon McKean


On Tue, 2015-08-04 at 15:41 +0000, Cantor, Scott wrote:

On 8/4/15, 11:36 AM, "users on behalf of McKean, Brandon Scott - mckeanbs" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of mckeanbs at jmu.edu<mailto:mckeanbs at jmu.edu>> wrote:



I find that a bit confusing. Initially you were saying it'd be caused by SP behavior, but then then that no settings would cause that behavior. Do you mean Shibboleth SP has no settings that might cause that in general? I suppose I can't rule out that they have since switched away from Shibboleth SP.



Either the SP is making a second request or it's not. If a double login is happening entirely within a single request to the IdP, then the SP obviously isn't even involved. If the SP is involved, then whatever they made it do is something that they should be able to identify, but it's nothing the SP does intrinsically.



And if so, is there any setting on the IDP side that might coax it into behaving better?



Since I have no idea what either end is really doing, I certainly couldn't say anything about how to fix it. If the SP is making two requests, then there should be a meaningful difference between them (like one specifying IsPassive and the other not). If there's a difference, then it can be determined what bug might be getting triggered or if there's a misconfiguration.

-- Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150804/573611e0/attachment.html>

More information about the users mailing list