IDP v3 Double Login

Fri Aug 14 11:04:38 EDT 2015

It is conceivably possible if that SP were using a relayState that was sending the full URL to the IdP (since that would be subject to potential manipulation by the IdP if we had a bug) but they're not (your pasted link left the underlying URL intact, so I was able to click it), it's using in-memory relay state so the URL never leaves the SP. So, no, there's absolutely no way that's possible.

You'd know better than I would on that, and I trust your judgement. I admittedly have no clue as to what else may have changed.

Can't be. Not that alone anyway.

Noted. I do still suspect it was something on the SP side, but without detail provided for their configuration I unfortunately can't speak for it.

Brandon

On Fri, 2015-08-14 at 14:40 +0000, Cantor, Scott wrote:

On 8/14/15, 10:33 AM, "users on behalf of McKean, Brandon Scott - mckeanbs" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of mckeanbs at jmu.edu<mailto:mckeanbs at jmu.edu>> wrote:

As far as I'm aware, it had been like that for a while with Shibboleth 2 in use. Switching to Shibboleth 3 on our end, as far as we can tell, made it start producing double login issues.

It is conceivably possible if that SP were using a relayState that was sending the full URL to the IdP (since that would be subject to potential manipulation by the IdP if we had a bug) but they're not (your pasted link left the underlying URL intact, so I was able to click it), it's using in-memory relay state so the URL never leaves the SP. So, no, there's absolutely no way that's possible.

I'm not sure what else may have changed on their end, but that's all they said they had changed. They suspect it's a new change in Shibboleth 3, but I find myself doubtful on that front.

Can't be. Not that alone anyway.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150814/83b213f5/attachment-0001.html>