Shib session question

Mike Flynn shibbolethlynda at
Wed May 25 15:55:28 EDT 2016

This is a new IdP deployment so we are the first SP they are connecting with, the LMS is acting as the IdP and connecting with "ComponentSpace SAML 2.0 to issue IdP initiated logins".  I am just trying to help them connect to us. 

    On Monday, May 23, 2016 1:56 PM, "Cantor, Scott" <cantor.2 at> wrote:

 > Works fine when the first SAML response is sent to our service, but when
> the user returns to their application, switches users and sends us a new
> SAML assertion, their original session seems to persist and the new response
> is ignored.

Ignored by what? The SP only has one cookie to set and a new response will overwrite the old cookie's value if it's successfully consumed, so if it logs a second session being created, that value should be in the client's cookie, and if it's not, then the client didn't reset the cookie and its still using the old one. Without tracing all that, there's not much else I can say. The session cookie isn't obfuscated, the value in it will match exactly what's in the log.

> Clearly the issue is with the iDP since I have a zillion other idps that connect fine.

A Shibboleth 2 IdP cannot switch users (period) and will unpredictably issue assertions with either user's data in them, but whatever the SP gets is what it will use.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list