Shibboleth-3 issues with ExternalAuth?

Cantor, Scott cantor.2 at
Sun Dec 23 13:44:42 EST 2018

ExternalAuth (if you mean the SP feature) is not a "normal" feature, and has some pretty serious security implications, to say nothing of combining that with AttributeQuery, so to say this is some advanced stuff is putting it mildly.

And the cert warnings are what they are, derived from understanding:

- why you're querying at all (e.g. is this because of a lack of attributes in the initial response or some deliberate choice?)
- what/who you're querying
- what the metadata for those attribute sources is
- what's not right about that metadata vs. the certificates in use

There is no chance it wouldn't have happened with V2, where the certificate issues are concerned at least, given the same inputs, though possibly some logging changed.

If you don't know why you're querying, then you shouldn't be. Turn queries off.

Data samples would need to be obtained to reproduce the crashes and a bug filed. You had certainly better be in full control over any data supplied there (that's inherently the assumption of that handler), so presumably you can obtain inputs that are causing the crashes.

But first I'd try with 3.0.3 and all the latest code and see if it helps or changes the error messages.

-- Scott

More information about the users mailing list