Application Override: no valid session

Hoorn, R. van der (Robbert) R.vanderHoorn at dictu.nl
Wed Aug 24 12:27:46 UTC 2022


I am experimenting with Application Override. To start testing, I have an override that would normally do the same thing as my default application. But after authenticating, I do not get a valid session on the override handler, but I do on the standard handler. What may be wrong here?

In my apache config, I have these entries:
For my default app

<Location /secure>
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   ShibRequestSetting applicationId default
    require valid-user
   ShibUseHeaders On
</Location>

For my eherkenning app:
<Location /eherkenning>
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   ShibRequestSetting applicationId eherkenning
   require valid-user
   ShibUseHeaders On
</Location>

<Location /Shibboleth.sso>
  AuthType None
  Require all granted
</Location>

<Location /eherkenning/Shibboleth.sso>
  AuthType None
  Require all granted
</Location>

And in my shibboleth2.xml:
  <ApplicationDefaults entityID="urn:nl-eid-gdi:1.0:DV:00000003273785290000:entities:9221"

             REMOTE_USER="eppn persistent-id targeted-id"
             signing="true" encryption="true"
  >

    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure">
      <Logout>SAML2 Local</Logout>
      <Handler type="MetadataGenerator"  Location="/Metadata" validUntil="31536000">
        <md:AttributeConsumingService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" index="1">
        <md:ServiceName xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="nl-NL">Robbert test 1</md:ServiceName>
                <ds:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd=http://www.w3.org/2001/XMLSchema                                   xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:ds="urn:oasis:names:tc:SAML:2.0:metadata" Name="urn:nl-eid-gdi:1.0:ServiceUUID"> <md:AttributeValue xmlns:md="urn:oasis:names:tc:SAML:2.0:assertion" xsi:type="xsd:string">34a0e906-bcf4-4146-b043-36a3f04831b5</md:AttributeValue>
</ds:RequestedAttribute>
</md:AttributeConsumingService>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="2"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>


</Handler>
      <Handler type="Status"            Location="/Status"/>
      <Handler type="Session"           Location="/Session" showAttributeValues="true"/>
      <Handler type="DiscoveryFeed"     Location="/DiscoFeed"/>
<SessionInitiator type="SAML2"   Location="/Login" entityID="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" acsByIndex="true" acsIndex="3" >
<samlp:AuthnRequest ID="eherkenning" Version="2.0" IssueInstant="2012-01-01T00:00:00Z">
</samlp:AuthnRequest>
</SessionInitiator>

<md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>


    </Sessions>
<RelyingParty type="SAML2" KeyName="9ea178c2980ff7a9d99e54c504de4ff94e6701a4" Name="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" attributeIndex="1" signing="true" />
    <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml">
    <!-- <MetadataFilter type="Signature" certificate="certs/cacert.pem"/>  -->
    </MetadataProvider>
    <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
    <AttributeResolver type="Query" subjectMatch="true"/>
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
      <CredentialResolver type="File"  key="tstshibtvs.rvo.nl.key" certificate="tstshibtvs.rvo.nl.crt" use="encryption" />
      <CredentialResolver type="File"  key="tstshibtvs.rvo.nl.key" certificate="tstshibtvs.rvo.nl.crt" use="signing" />

<ApplicationOverride id="eherkenning" entityID="urn:nl-eid-gdi:1.0:DV:00000003273785290000:entities:9221" >

<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/eherkenning/Shibboleth.sso"
                relayState="ss:mem" handlerSSL="true" cookieProps="; path=/eherkenning; secure">
<SessionInitiator type="SAML2"   Location="/Login" entityID="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" acsByIndex="true" acsIndex="3" >
</SessionInitiator>
</Sessions>

</ApplicationOverride>


</ApplicationDefaults>

​Regards,

Robbert


Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is gezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen.
De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard
ook, die verband houdt met risico's verbonden aan het elektronisch
verzenden van berichten.

This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you
are requested to inform the sender and delete the message.
The State accepts no liability for damage of any kind resulting from the
risks inherent in the electronic transmission of messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220824/e0fd3156/attachment.htm>


More information about the users mailing list