NameID lookup for logout ignores logical SP boundaries

Description

The cache of NameID->Session mappings for logout lookup don't recognize that some sessions are bound to different SP entityID containers, which causes the IdP to issue requests for logout to those entityIDs after the initial request and causes a failure since the sessions are already gone.

Environment

None

Activity

Scott Cantor March 15, 2012 at 5:00 PM

http://svn.shibboleth.net/view/cpp-sp?view=rev&rev=3592

The expiration of the indexing is built-in, so there's no concern over leaving them in place.

Scott Cantor March 15, 2012 at 4:31 PM

Original thread on this:
http://marc.info/?l=shibboleth-users&m=131914718629141&w=2

The code is not able to actually retrieve the ancillary sessions because they're associated with a different applicationId, but when the find() fails, it falls through and treats that as a session "not found" and still records it as killed.

To fix this issue, we should probably treat that as an "ignore" case and leave the session in the back-index. The downside is, that will build up over time, so we probably have to consider the risk there.

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions

Created October 27, 2011 at 2:54 PM
Updated August 7, 2012 at 1:07 AM
Resolved March 15, 2012 at 5:00 PM