Issue in Authentication of user with Shibboleth Cookie

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue in Authentication of user with Shibboleth Cookie

ashokvijayakumar
Hi Team, 

I am facing an issue.

I made an Authentication request to Shbboeleth ECP End point with the username and password on the http request header and issuer id on the SOAP request and received the SOAP response on the http respons body and the Shibboleth Cookie on the response header.

I made an another Authentication request to Shibboleth ECP End point  with Shibboleth Cookie on the request header and issuer id (same as above) on the SOAP request , but am getting the SOAP response with error Authentication failed.

As  per the idp-process.log am getting the following error, 

"Client address is <<ip adddress>> but session <<cookie>> already bound to <<ipaddress(differnt from the ip address which is mentioned client address is >>"

This error started occuring  from today , and till yesterday I was able to authenticate the user with username and password and was able to re authenticate the user with the shibboleth cookie.

Any solutions to this will be of great help.


Thanks,
Ashok Vijayakumar.

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue in Authentication of user with Shibboleth Cookie

Scott Koranda-2
> "Client address is <<ip adddress>> but session <<cookie>> already
> bound to <<ipaddress(differnt from the ip address which is mentioned
> client address is >>"

This issue has nothing to do with the ECP profile. It is the same issue
regardless if you are using an ECP client or a normal web browser and
the standard Web SSO Profile.

The Shibboleth SP session by default is bound to the IP address for the
client. If that IP address changes then the SP session is invalidated.

Further by default the Shibboleth SP session is bound to the client IP
address that the IdP saw when it authenticated the user. So if the
client IP address that the IdP and SP see are different the SP will not
by default create a session.

Both behaviors are configurable but have security implications. Please
be sure to study and understand the security implications before
changing the default behavior.

The configuration options are

checkAddress

and

consistentAddress

on this wiki page:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions

Scott K
--
To unsubscribe from this list send an email to [hidden email]