What will happen if?

Cantor, Scott cantor.2 at osu.edu
Thu Nov 1 13:03:29 EDT 2018

On 11/1/18, 12:00 PM, "users on behalf of Dan McLaughlin" <users-bounces at shibboleth.net on behalf of dmclaughlin at tech-consortium.com> wrote:

> If you have the SAML IDP Cookie set to expire every 365 days, and you
> remove the IDP from the list of trusted metadata, what will the SP do
> the next time it get's handed an IDP cookie that it no longer trusts?
> What I would like it to do is hand them off to the Discovery Service
> to select a new IDP, but I have a feeling they are going to get an
> error from the SP instead.

Assuming you mean the IdP history cookie, I really don't recall. It's not generally used much, except in the context of the EDS now, but co-hosted it would amount to the same thing. What it's clearly going to do is at some point "fail" because it won't be able to find metadata for that IdP and couldn't initiate a login. So that's a given.

It either fails at that point, or it triggers a recoverable failure that would cause it to fall through the implicit (or explicit in an older config) SessionInitiator "chain" and that could cause it to re-attempt discovery.

I don't know which it does without looking at the code. Just try it and see I guess. If it fails, it would be with the unable to locate metadata message.

-- Scott

More information about the users mailing list