Shibboleth v3 - Session HA Questions

Cantor, Scott cantor.2 at
Wed Jul 1 18:52:06 UTC 2020

On 7/1/20, 2:45 PM, "users on behalf of prasanna cg" <users-bounces at on behalf of prasannacgin at> wrote:

> Thanks Scott. I confirm that they are NOT sharing the encryption keys and do not use any delegated source for
> authentication as well. Pretty much a vanilla install. I am in fact able to reproduce the behavior not just through the LB
> but also by spoofing the IP directly from localhosts file. Is there a possibility that using a common ’store password’ for
> the DataSealer  across all IDPs could be the reason ?

The password is irelevant, they're simply to unlock keystores. Your description is simply impossible. Whatever you think "sharing keys" means is misunderstood or you're not in fact using different servers. The IdP doesn't magically know who you are. Even if it had a bug and wasn't prompting when it should, how would it possibly know who you were to be able to issue an assertion with the right identity in it? It's self evident that this is impossible.

-- Scott

More information about the users mailing list