Shibboleth Developers

["Scott Cantor" <>]

> I took a look at the code (src/edu/internet2/middleware/shibboleth/
> idp/provider/SSOHandler.java) and, if I'm not mistaken, the cookie
> will never be set.

Well, I'm using that code here now, so I'm pretty sure it works. I know from
the previous bugs that I botched a lot of it (my Java seems to get worse
with experience), but I think it works.

> The cookie is only set if username is not null and we're on the
> protected path. The first time username will be null, and the next
> time we will not be in the protected path since we already have the
> username in the session... Unless we get to a different front-end in
> which case the auth is asked again since there is no username or cookie.

I'm not following you here. The cookie can't be set until REMOTE_USER is,
obviously. The first time, yes, it's null, but you do go to the protected
path because if you're on the naked path, REMOTE_USER won't be set...

> Am I doing something wrong?

I think so. It's not very much a Shibboleth config thing, it really all ends
up in web.xml and your metadata to get people to the right place. You need
to make sure your metadata points people to the naked path. Both the naked
and protected path have to be mapped to the IdPServlet in web.xml. By
default, it's /SSO and /HS (for legacy reasons).

-- Scott