Shibboleth IdP 2.X Single TransientID Mapped to Multiple Principals
====================================================================

All current versions of the Shibboleth 2 IdP are vulnerable to a bug where,
under certain situations, more than one user may be given the same transient 
ID. This in turn may lead to attribute queries for each user mapped to the 
same ID returning the attributes for user most recently mapped.

Affected Systems
===========
All current versions of the Shibboleth 2 IdP that have disabled session IP 
address checking (which is on by default) and have users whose traffic goes 
through a proxy that changes their IP address after authentication but 
before the SAML response is sent back to the SP.

Deployments using the default value for the ensureConsistentClientAddress
setting in the IdPSessionFilter declared in the IdP's web.xml are *not* 
affected.

Addressing the Issue
===========
Re-enable Session IP address checking.  This may cause intermittent issues with
some users (if their IP address changes at the moment described above) but is 
the only way to address the issue for current systems.

Shibboleth IdP 2.2.1 contains a fix for this issue that does not require 
re-enabling Session IP address checking.

Credits
===========
Robert Egglestone, Univ. of Auckland