Shibboleth SP passing wrong user identity to application

StackOverflow https://stackoverflow.com/questions/6065261

  •  16-11-2019
  •  | 
  •  

Question

I have a Rails app that I've Shibbolized using Shibboleth SP (latest version - 2.4.2). I'm using it with Apache 2.2. My IdP is an MS AD FS 2.0 server.

Everything seems to work well - users hit the site, are redirected to AD FS, get authenticated and then come back and are logged into the site.

The problem is that once you've done that, it's almost impossible to log in as a different user in a timely fashion. You can clear all your cookies (I'm trying this with Safari and Chrome on Mac) and restart the browser, but if I'm first authenticated as Alice and then try to log in as Carol I'll still get logged into the application as Alice.

The SAML response received by shibd after clearing cookies has the correct identity in it:

<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
    <AttributeValue>Carol</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>carol@dev.REDACTED.com</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
    <AttributeValue>carol@dev.REDACTED.com</AttributeValue>
  </Attribute>
</AttributeStatement>

But when Shibboleth SP passes environment variables to my app, it instead sends the wrong credentials:

[DEBUG 05/19 16:30:09]   ENV:  Shib-Session-ID => _615014991ed1b7dcc43f647ceb1f4944
[DEBUG 05/19 16:30:09]   ENV:  Shib-Identity-Provider => http://REDACTED/adfs/services/trust
[DEBUG 05/19 16:30:09]   ENV:  Shib-Authentication-Instant => 2011-05-19T21:17:23.861Z
[DEBUG 05/19 16:30:09]   ENV:  Shib-Authentication-Method => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09]   ENV:  Shib-AuthnContext-Class => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09]   ENV:  Shib-Session-Index => _cadfb4e6-ffb2-45f9-aab5-6bce8c3bc17a
[DEBUG 05/19 16:30:09]   ENV:  cn => alice
[DEBUG 05/19 16:30:09]   ENV:  email => alice@dev.REDACTED.com
[DEBUG 05/19 16:30:09]   ENV:  principal => alice@dev.READACTED.com

Despite having nuked all cookies, the Shib-Session-ID will be the same. Somehow it seems to be associating the two interactions and re-establishing the existing session rather than making a new session with the account info from the SAML response.

I've set all the cache timeout values I can find to 60 seconds, but waiting 2-3 minutes with browser closed isn't enough to get it to make a new session.

<StorageService type="Memory" id="mem" cleanupInterval="60"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="60" 
   inprocTimeout="60" cleanupInterval="60" />

... 

<Sessions lifetime="60" timeout="60" checkAddress="false" relayState="ss:mem"
    handlerSSL="false">

Restarting apache and shibd works, as does closing the browser and letting it sit for a long time (10-15 minutes?) I don't have a solid read on exactly how long it takes.

What am I missing? What other avenues should I pursue?

Was it helpful?

Solution

The key is that our app is a Rails app, deployed using Passenger. It looks like Passenger wasn't updating environment variables after the first call, so you could end up with old data.

Switching to passing user information via headers (ShibUseHeaders on) solved the problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top