Default pages bug in 3.2.3?

Cantor, Scott cantor.2 at osu.edu
Fri Aug 6 17:25:17 UTC 2021


That's not a bug in the SP, it's a bug in IIS. They are contaminating subrequest state within that Default Document module. That is horrendous. Violates the most important rule there is, not to contaminate one request's state with the state from a previous one. The SP doesn't know that its own state is what's being injected into it, it simply takes what IIS provides and assumes what's there is correct.

The only reason the older SP versions "work" is they had a bug that prevented proper appending of the new state to any existing state. The fact that there shouldn't be any pre-existing state but is, is an IIS bug.

The de-duplication logic that optionally "masks" this doesn't apply to the built in variables the SP creates, only attribute values.

The best workaround for this variant of the problem, barring some obvious ones I won't mention out of politeness, is to adjust the code to handle multiple values as a defensive step or alternatively to suppress the built-in variable creation step and use the Assertion attribute extractor [1] to produce explicit variables based on Attributes that come from some of those fields, and then use the option to suppress duplicate values that applies to Attributes.

If you file a bug, I'll work around the issue more comprehensively some time in the future, but this is 100% a Microsoft bug. That Default Document Module is a menace and should not be used in its current state (pun intended).

-- Scott

[1] https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334444/AssertionAttributeExtractor




More information about the users mailing list