Shib session question

Cantor, Scott cantor.2 at
Mon May 23 16:56:21 EDT 2016

> Works fine when the first SAML response is sent to our service, but when
> the user returns to their application, switches users and sends us a new
> SAML assertion, their original session seems to persist and the new response
> is ignored.

Ignored by what? The SP only has one cookie to set and a new response will overwrite the old cookie's value if it's successfully consumed, so if it logs a second session being created, that value should be in the client's cookie, and if it's not, then the client didn't reset the cookie and its still using the old one. Without tracing all that, there's not much else I can say. The session cookie isn't obfuscated, the value in it will match exactly what's in the log.

> Clearly the issue is with the iDP since I have a zillion other idps that connect fine.

A Shibboleth 2 IdP cannot switch users (period) and will unpredictably issue assertions with either user's data in them, but whatever the SP gets is what it will use.

-- Scott

More information about the users mailing list