Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Skip to end of metadata
Go to start of metadata

Task 1: Missing or Incorrect Metadata

Create the problem:

Configure your SP so that it does not have the IdP's metadata (or has incorrect metadata).

Steps:

Change the URL on your metadata provider to be incorrect or create a filesystem-based MetadataProvider that does not contain the classroom test IdP's metadata.

Observations:

The SP will complain about 'unable to process assertion' when it receives the SAMl assertion from the IdP (after IdP login).  An ERROR will be logged in your shibd.log file.

Task 2: Missing attributes, but IdP sent them

Create the problem:

Configure your SP to only process a very limited set of attributes.

Steps:

Comment out various needed attributes in attribute-map.xml.

Observations:

Some attributes will be received, but others will not be.  A WARN will be generated for unmapped attributes in your shibd.log file.

Task 3: Browser looping

Create the problem:

Configure your SP to set its session cookie inappropriately.

Steps:

Configure your SP to set a secure cookie in the Sessions element of shibboleth2.xml (handlerSSL="true" cookieProps="; path=/; secure").
-OR-
Configure your SP to set a secure cookie in the Sessions element of shibboleth2.xml, but with an invalid path (handlerSSL="true" cookieProps="; path=/foobar; secure").

Observations:

Your SP will be unable to use the secure session cookie and will send you back to the IdP, which will have already authenticated you and will send you back to the SP, which will not

be able to use the secure session cookie, which will send you back to the IdP, and so on..., resulting in looping behavior.  No ERROR messages will be logged.

  • No labels