Shibboleth SP error redux

Spencer Thomas Spencer.Thomas at
Wed Mar 4 15:06:06 EST 2020

Adding consistentAddress has resolved the issue. The error message was not helpful to me in diagnosing the "root cause". If there was a message in a log saying something like "session rejected because IP changed" that would have pointed immediately to what I needed to address.

Thanks for the pointer, Scott.

Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA <> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at
Voicemail: 734-887-7004

On 3/4/20, 12:02 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

    > None of the configured SessionInitiators handled the request.
    If there's no entityID statically defined or supplied to /Login via parameter, and no discoveryURL in the configuration, then there's nothing the system can do with a request when a session is mandated. That is the way you get that error.
    > 1. Is this the probable cause of the error?
    It will loop. The resource request will have no valid session and route back to wherever the configured discoveryURL, and if there is no such URL, it will fail with the error you got.
    The only way to bypass the cross check is setting consistentAddress to false.
    But you can't deploy in a way that ever allows that error to occur, because it will occur, eventually. You MUST supply an entityID or a discoveryURL, always. If you don't, you can't use requireSession. They go hand in hand.
    -- Scott
    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list