 |
 |
Thanks to all at Dawsonera for responding so quickly. Thorpe, Caroline M wrote: > The problems with Dawsonera have now been fixed. > Dawsonera sent us this information today > > "Please find below the explanation of the cause and solution from our developers: > > After the live release of the Shibboleth SP reports were received from a > few universities that they were not able to log in and were directed > back to the WAYF screen after entering their credentials. After > obtaining credentials, in order to try and reproduce the problem, we > were able to log in successfully. An examination of the server log files > during a failed login showed only that the session was created and the > immediately removed. > > Having analysed the traffic from the universities affected we determined > that the secure (HTTPS) traffic and the unsecured traffic (HTTP) was > arriving from two different IP addresses. We were able to reproduce this > as a test by routing our unsecured traffic via a VPN to one of our data > centres leaving the secure traffic coming from our office in Brighton. > Shibboleth is by default (and in all the UK Federation examples) > configured to remove sessions if the source traffic changes IP address. > This is to prevent a user's session being stolen and used by somebody > else. Altering the Shibboleth configuration to disable this security > feature is enough to solve this problem and was performed this morning. > > However having the data coming from two Internet addresses caused a > second problem with the load balancers which keep the secure and > unsecured traffic from a single user together by using the source > Internet address. With the traffic arriving from different addresses > there was a good chance that the user would login using one of the > Dawson servers and then try to access content on the other. When this > happens the user will not be logged into the second server and so will > be directed back to the WAYF in order to log in. > > Making changes to the load balancer has an impact on all users so a > series of careful tests was carried out with different configurations > before any changes were made to live users. A change has now been made > that will have the load balancers set a session cookie on the user's > browser when they first visit the site which will the be used on both > the secure and unsecured connections to always direct that user to the > same Dawson server. > > Apologies for any inconvenience caused." > > > Caroline Thorpe > Senior Information Adviser > Information Services Systems Team > Student and Learning Services > Sheffield Hallam University, > Howard Street Sheffield S1 1WB > 0114 225 4478 > [log in to unmask] > [log in to unmask] > > > > > > > -----Original Message----- > From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Jon Warbrick > Sent: 13 December 2009 21:44 > To: [log in to unmask] > Subject: Re: dawsonera issues > > On Fri, 11 Dec 2009, Bruce Rodger wrote: > > >> And if I change Netscape to be "use proxy for all protocols", it all works >> fine! >> >> So what now? modify proxy.conf to push all dawsonera traffic via proxy? >> > > Changing your local proxy.conf could be a useful work-around for your > local users, but you can't fix fix things for people connecting from > networks that you don't control, and ubiquitous access is one of the > points of Shib. I would say this was a bug that needs to be reported to > the SP, and that both those affected and JISC (Nicole, you listening?) > need to try to get them to take it seriously. > > Jon. > >