IsPassive=true in AuthnRequest to Azure when no session exists

Duncan Brannen dbb at st-andrews.ac.uk
Wed Sep 1 14:05:47 UTC 2021


For info, It's moodle, it sends  &gateway=true to CAS(Shibboleth), I'll  try to strip it out before Shibboleth sees it.

From: Duncan Brannen
Sent: 01 September 2021 14:18
To: users at shibboleth.net
Subject: IsPassive=true in AuthnRequest to Azure when no session exists


Hi All,
                Not sure if anyone has come across this or can point me at a workaround.

We've recently upgraded to Shibboleth 4.1.4 and added in CAS support (retired our CAS servers) and setup proxy authentication to AzureAD.  We've hit a few issues that were straight forward to resolve but the headscratcher at the moment is moodle.

Moodle's is configured to use CAS authentication.  Taking a clean browser session and attempting to login to moodle results in a Silent sign in error from Azure (quite rightly, there is no session), returning to the moodle login page and trying again gives a prompt as expected.

The issue seems to be that the first time around the IDP adds IsPassive=True to the Authn request which then fails but the 2nd attempt doesn't add IsPassive=true and succeeds.

Any thoughts / pointers appreciated.  Can I set anything to override setting IsPassive on a resource by resource basis?  It's only the one CAS resource that's going wrong, other AuthnRequests containing IsPassive=True succeed (When the useris already logged in)

Thanks,
                Duncan




DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAuthnRequest:238] - Profile Action AddAuthnRequest: Setting IsPassive for SAML AuthnRequest

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO"<https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO%22> Destination="https://login.microsoftonline.com/...../saml2"<https://login.microsoftonline.com/...../saml2%22> ID="_bdb614add66efeef7f19aaa375ebf322" IsPassive="true" IssueInstant="2021-09-01T10:42:03.320Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.st-andrews.ac.uk/shibboleth</saml2:Issuer><https://idp.st-andrews.ac.uk/shibboleth%3c/saml2:Issuer%3e>
<saml2p:NameIDPolicy AllowCreate="true"/>
</saml2p:AuthnRequest>

^Above fails while below succeeds

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO"<https://login.st-andrews.ac.uk/idp/profile/Authn/SAML2/POST/SSO%22> Destination="https://login.microsoftonline.com/...../saml2"<https://login.microsoftonline.com/...../saml2%22> ID="_ecf37f9d3e1bc7a662d02b200757a284" IssueInstant="2021-09-01T10:42:30.384Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.st-andrews.ac.uk/shibboleth</saml2:Issuer><https://idp.st-andrews.ac.uk/shibboleth%3c/saml2:Issuer%3e>
<saml2p:NameIDPolicy AllowCreate="true"/>
</saml2p:AuthnRequest>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210901/6008cd07/attachment.htm>


More information about the users mailing list