Need to modify AuthnContextClassRef in ExternalAuth
cantor.2 at osu.edu
Tue Dec 22 13:27:13 EST 2015
On 12/22/15, 12:06 PM, "users on behalf of Stefan Santesson" <users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
>I actually got a slightly different result on this go, using enriched logs. Here is the relevant log data:
That all matches, save for the part I can't explain.
There's no reason I can think of that having a stale IdP session cookie would cause any problems, but I will reproduce that case.
>I can’t find neither the word JSESSIONID nor the JSESSIONID value in the log. Should ?
No, though I believe it can be added with some kind of MDC variable.
>However, I’m pretty sure the JSESSIONID is reaching the server, or else, also server side storage would fail, and that works.
Well, it wouldn't have any impact on storage, but it should break Spring Web Flow entirely and it would never be able to complete a request.
There has to be some edge case here I'm not seeing, but if it's as egregious as just a stale cookie, I don't know how that could have been missed.
More information about the users