[Ext] Shib session question

Nate Klingenstein nate.klingenstein at utah.edu
Mon May 23 16:54:57 EDT 2016

Works fine when the first SAML response is sent to our service, but when the user returns to their application, switches users and sends us a new SAML assertion, their original session seems to persist and the new response is ignored.  This results in the second user utilizing the first user's token.

Do you know what the implementation is?  If it’s Shibboleth IdP v2.x, switching of principals during a single session was never a use case that the IdP was designed for, and it results in the behavior you’ve experienced.  IIRC, it’s down to session management and result caching, but I don’t really recall.

The same question came up for IdPv3 recently.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160523/47a66b04/attachment.html>

More information about the users mailing list