Shibboleth SP error redux
Spencer Thomas
Spencer.Thomas at ithaka.org
Wed Mar 4 11:37:11 EST 2020
Upgrading to the SP version 3.0.4 did not eliminate our error condition (previously reported as unrecognized entity ID from idp.testshib.org). We are now seeing the error
None of the configured SessionInitiators handled the request.
The sequence and metadata for the error requests and the non-error requests are very similar (I dare say identical) with one possible exception.
In our case, the browser posts to /Shibboleth.sso/SAML2/POST, and is then redirected to a URL protected by mod_shib with the settings
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
I have looked at one pair of examples in detail. Both originate at the same entityID and IDP, one succeeds and one errors. The difference that I see is that in the success case, both the POST and the redirected request are from the same IP address. In the error case, the IP addresses differ.
Why do the IP addresses differ? Because the request comes through a load balanced gateway that has multiple instances.
So the questions:
1. Is this the probable cause of the error?
2. If so, how do I configure mod_shib or shibd to allow the return request to be from a different IP? Can I limit the request addresses to our VPC address space but allow any IP within that address space?
I have perused the Shibboleth wiki and haven’t found answers there (yet).
Thanks for any help you can provide.
--
Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
Voicemail: 734-887-7004
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200304/c9d086f6/attachment.html>
More information about the users
mailing list