IsPassive=true in AuthnRequest to Azure when no session exists
Duncan Brannen
dbb at st-andrews.ac.uk
Wed Sep 1 13:17:46 UTC 2021
Hi All,
Not sure if anyone has come across this or can point me at a workaround.
We've recently upgraded to Shibboleth 4.1.4 and added in CAS support (retired our CAS servers) and setup proxy authentication to AzureAD. We've hit a few issues that were straight forward to resolve but the headscratcher at the moment is moodle.
Moodle's is configured to use CAS authentication. Taking a clean browser session and attempting to login to moodle results in a Silent sign in error from Azure (quite rightly, there is no session), returning to the moodle login page and trying again gives a prompt as expected.
The issue seems to be that the first time around the IDP adds IsPassive=True to the Authn request which then fails but the 2nd attempt doesn't add IsPassive=true and succeeds.
Any thoughts / pointers appreciated. Can I set anything to override setting IsPassive on a resource by resource basis? It's only the one CAS resource that's going wrong, other AuthnRequests containing IsPassive=True succeed (When the useris already logged in)
Thanks,
Duncan
DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAuthnRequest:238] - Profile Action AddAuthnRequest: Setting IsPassive for SAML AuthnRequest
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO"<https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO%22> Destination="https://login.microsoftonline.com/...../saml2"<https://login.microsoftonline.com/...../saml2%22> ID="_bdb614add66efeef7f19aaa375ebf322" IsPassive="true" IssueInstant="2021-09-01T10:42:03.320Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.st-andrews.ac.uk/shibboleth</saml2:Issuer><https://idp.st-andrews.ac.uk/shibboleth%3c/saml2:Issuer%3e>
<saml2p:NameIDPolicy AllowCreate="true"/>
</saml2p:AuthnRequest>
^Above fails while below succeeds
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO"<https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO%22> Destination="https://login.microsoftonline.com/...../saml2"<https://login.microsoftonline.com/...../saml2%22> ID="_ecf37f9d3e1bc7a662d02b200757a284" IssueInstant="2021-09-01T10:42:30.384Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.st-andrews.ac.uk/shibboleth</saml2:Issuer><https://idp.st-andrews.ac.uk/shibboleth%3c/saml2:Issuer%3e>
<saml2p:NameIDPolicy AllowCreate="true"/>
</saml2p:AuthnRequest>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210901/81987fd7/attachment.htm>
More information about the users
mailing list