The problems with Dawsonera have now been fixed. Dawsonera sent us this information today "Please find below the explanation of the cause and solution from our developers: After the live release of the Shibboleth SP reports were received from a few universities that they were not able to log in and were directed back to the WAYF screen after entering their credentials. After obtaining credentials, in order to try and reproduce the problem, we were able to log in successfully. An examination of the server log files during a failed login showed only that the session was created and the immediately removed. Having analysed the traffic from the universities affected we determined that the secure (HTTPS) traffic and the unsecured traffic (HTTP) was arriving from two different IP addresses. We were able to reproduce this as a test by routing our unsecured traffic via a VPN to one of our data centres leaving the secure traffic coming from our office in Brighton. Shibboleth is by default (and in all the UK Federation examples) configured to remove sessions if the source traffic changes IP address. This is to prevent a user's session being stolen and used by somebody else. Altering the Shibboleth configuration to disable this security feature is enough to solve this problem and was performed this morning. However having the data coming from two Internet addresses caused a second problem with the load balancers which keep the secure and unsecured traffic from a single user together by using the source Internet address. With the traffic arriving from different addresses there was a good chance that the user would login using one of the Dawson servers and then try to access content on the other. When this happens the user will not be logged into the second server and so will be directed back to the WAYF in order to log in. Making changes to the load balancer has an impact on all users so a series of careful tests was carried out with different configurations before any changes were made to live users. A change has now been made that will have the load balancers set a session cookie on the user's browser when they first visit the site which will the be used on both the secure and unsecured connections to always direct that user to the same Dawson server. Apologies for any inconvenience caused." Caroline Thorpe Senior Information Adviser Information Services Systems Team Student and Learning Services Sheffield Hallam University, Howard Street Sheffield S1 1WB 0114 225 4478 [log in to unmask] [log in to unmask] -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Jon Warbrick Sent: 13 December 2009 21:44 To: [log in to unmask] Subject: Re: dawsonera issues On Fri, 11 Dec 2009, Bruce Rodger wrote: > And if I change Netscape to be "use proxy for all protocols", it all works > fine! > > So what now? modify proxy.conf to push all dawsonera traffic via proxy? Changing your local proxy.conf could be a useful work-around for your local users, but you can't fix fix things for people connecting from networks that you don't control, and ubiquitous access is one of the points of Shib. I would say this was a bug that needs to be reported to the SP, and that both those affected and JISC (Nicole, you listening?) need to try to get them to take it seriously. Jon. -- Jon Warbrick Web/News Development, Computing Service, University of Cambridge