IDP v3 Double Login

Cantor, Scott cantor.2 at
Fri Aug 14 10:40:48 EDT 2015

On 8/14/15, 10:33 AM, "users on behalf of McKean, Brandon Scott - mckeanbs" <users-bounces at on behalf of mckeanbs at> wrote:

>As far as I'm aware, it had been like that for a while with Shibboleth 2 in use. Switching to Shibboleth 3 on our end, as far as we can tell, made it start producing double login issues.

It is conceivably possible if that SP were using a relayState that was sending the full URL to the IdP (since that would be subject to potential manipulation by the IdP if we had a bug) but they're not (your pasted link left the underlying URL intact, so I was able to click it), it's using in-memory relay state so the URL never leaves the SP. So, no, there's absolutely no way that's possible.

>I'm not sure what else may have changed on their end, but that's all they said they had changed. They suspect it's a new change in Shibboleth 3, but I find myself doubtful on that front.

Can't be. Not that alone anyway.

-- Scott

More information about the users mailing list