Shibboleth Developers

[Scott Cantor <>]

> > ShibPOSTProfile.accept() detected a replayed SSO assertion Please 
> > contact this site's administrator to resolve the problem.

As you'd expect, this shows up if the POST to the SHIRE from the HS is
executed twice.

>  perhaps a more serious problem....
> 2) 
> > I forgot to mention in the last email that when I get the error 
> > message, if I copy+paste the TargetURL into the address bar I am 
> > allowed to go into WebAssign assignments page where I can submit my 
> > work...

That just shows he was logged in (the initial POST worked), and after
seeing the replay error, he just manually went back to the target and of
course it let him in no problem.

> Is there a way to post a message similar to "you are already 
> logged in" if they try to reenter or resubmit their login 
> prior to the closing of their session?  Or with my limited 
> knowledge, am I misreading this?

No you're right, we have to work out how best to address this. I'm going
to play a bit more with it.

One problem is that it's not 100% the case that "you're logged in". In
some cases, a failure might occur for other reasons, but the ID of the
message will still be tracked and a replay attack will be detected if
you reload the POST again.

I have some ideas worth trying, but it is admittedly more complicated
using POST than a simple redirect. I think the benefits will outweigh
the drawbacks in the long term, but in the short term we have to
reapply/relearn some safety techniques that are somewhat different for
POST.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--