Issue in Authentication of user with Shibboleth Cookie
I am facing an issue.
I made an Authentication request to Shbboeleth ECP End point with the username and password on the http request header and issuer id on the SOAP request and received the SOAP response on the http respons body and the Shibboleth Cookie on the response header.
I made an another Authentication request to Shibboleth ECP End point with Shibboleth Cookie on the request header and issuer id (same as above) on the SOAP request , but am getting the SOAP response with error Authentication failed.
As per the idp-process.log am getting the following error,
"Client address is <<ip adddress>> but session <<cookie>> already bound to <<ipaddress(differnt from the ip address which is mentioned client address is >>"
This error started occuring from today , and till yesterday I was able to authenticate the user with username and password and was able to re authenticate the user with the shibboleth cookie.
Re: Issue in Authentication of user with Shibboleth Cookie
> "Client address is <<ip adddress>> but session <<cookie>> already
> bound to <<ipaddress(differnt from the ip address which is mentioned
> client address is >>"
This issue has nothing to do with the ECP profile. It is the same issue
regardless if you are using an ECP client or a normal web browser and
the standard Web SSO Profile.
The Shibboleth SP session by default is bound to the IP address for the
client. If that IP address changes then the SP session is invalidated.
Further by default the Shibboleth SP session is bound to the client IP
address that the IdP saw when it authenticated the user. So if the
client IP address that the IdP and SP see are different the SP will not
by default create a session.
Both behaviors are configurable but have security implications. Please
be sure to study and understand the security implications before
changing the default behavior.