DetectIdentitySwitch Message

Cantor, Scott cantor.2 at
Wed Apr 1 08:31:21 EDT 2020

On 4/1/20, 8:26 AM, "users on behalf of Craig Pluchinsky" <users-bounces at on behalf of craigp at> wrote:

> I just notice occasionally in our IDP logs the messages below.  I'm assuming the aaaa/AAAA is because of the case of the
> principal.

That would be a deployment bug, you need to fix your subject c14n configuration to account for that.

>  But I've also saw messages where the principal is different, like the second message with bbbb/CCCC.  Is this an issue or
> just the session id being re-used?

Only you can decide whether it's an issue or not, it is what it is. How you choose to handle the switch is controlled by a property. The IdP can protect itself, but it can't do anything for all the applications subject to breach by a shared machiine.

-- Scott

More information about the users mailing list