JISCMail - JISC-SHIBBOLETH Archives

Thanks to all at Dawsonera for responding so quickly.

Thorpe, Caroline M wrote:

[log in to unmask]" type="cite">

The problems with Dawsonera have now been fixed.
Dawsonera sent us this information today

"Please find below the explanation of the cause and solution from our developers:
 
After the live release of the Shibboleth SP reports were received from a 
few universities that they were not able to log in and were directed 
back to the WAYF screen after entering their credentials. After 
obtaining credentials, in order to try and reproduce the problem, we 
were able to log in successfully. An examination of the server log files 
during a failed login showed only that the session was created and the 
immediately removed.
 
Having analysed the traffic from the universities affected we determined 
that the secure (HTTPS) traffic and the unsecured traffic (HTTP) was 
arriving from two different IP addresses. We were able to reproduce this 
as a test by routing our unsecured traffic via a VPN to one of our data 
centres leaving the secure traffic coming from our office in Brighton. 
Shibboleth is by default (and in all the UK Federation examples) 
configured to remove sessions if the source traffic changes IP address. 
This is to prevent a user's session being stolen and used by somebody 
else. Altering the Shibboleth configuration to disable this security 
feature is enough to solve this problem and was performed this morning.
 
However having the data coming from two Internet addresses caused a 
second problem with the load balancers which keep the secure and 
unsecured traffic from a single user together by using the source 
Internet address. With the traffic arriving from different addresses 
there was a good chance that the user would login using one of the 
Dawson servers and then try to access content on the other. When this 
happens the user will not be logged into the second server and so will 
be directed back to the WAYF in order to log in.
 
Making changes to the load balancer has an impact on all users so a 
series of careful tests was carried out with different configurations 
before any changes were made to live users. A change has now been made 
that will have the load balancers set a session cookie on the user's 
browser when they first visit the site which will the be used on both 
the secure and unsecured connections to always direct that user to the 
same Dawson server.
 
Apologies for any inconvenience caused."


Caroline Thorpe
Senior Information Adviser
Information Services Systems Team
Student and Learning Services
Sheffield Hallam University, 
Howard Street Sheffield S1 1WB
0114 225 4478
[log in to unmask]
[log in to unmask]






-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Jon Warbrick
Sent: 13 December 2009 21:44
To: [log in to unmask]
Subject: Re: dawsonera issues

On Fri, 11 Dec 2009, Bruce Rodger wrote:

And if I change Netscape to be "use proxy for all protocols", it all works 
fine!

So what now? modify proxy.conf to push all dawsonera traffic via proxy?


Changing your local proxy.conf could be a useful work-around for your 
local users, but you can't fix fix things for people connecting from 
networks that you don't control, and ubiquitous access is one of the 
points of Shib. I would say this was a bug that needs to be reported to 
the SP, and that both those affected and JISC (Nicole, you listening?) 
need to try to get them to take it seriously.

Jon.