Shibboleth IdP 2.X Single TransientID Mapped to Multiple Principals ==================================================================== All current versions of the Shibboleth 2 IdP are vulnerable to a bug where, under certain situations, more than one user may be given the same transient ID. This in turn may lead to attribute queries for each user mapped to the same ID returning the attributes for user most recently mapped. Affected Systems =========== All current versions of the Shibboleth 2 IdP that have disabled session IP address checking (which is on by default) and have users whose traffic goes through a proxy that changes their IP address after authentication but before the SAML response is sent back to the SP. Deployments using the default value for the ensureConsistentClientAddress setting in the IdPSessionFilter declared in the IdP's web.xml are *not* affected. Addressing the Issue =========== Re-enable Session IP address checking. This may cause intermittent issues with some users (if their IP address changes at the moment described above) but is the only way to address the issue for current systems. Shibboleth IdP 2.2.1 contains a fix for this issue that does not require re-enabling Session IP address checking. Credits =========== Robert Egglestone, Univ. of Auckland