Shibboleth Developers

[Paul Hethmon <>]

On 3/31/10 9:54 PM, "Paul Hethmon" 
<>
wrote:

> So I'm only ever setting the principalName value, which appears to be ok
> according to the javadocs for LoginHandler.java. But looking at this code,
> if the previous session created an actual Principal (which it would) and
> kept it with the session (and then the subsequent request), then my new
> principalName would be ignored.
> 
> So after writing all of this, it seems evident I need to go ahead and create
> a Principal object in my code and set it in the request to replace anything
> that might be there, so I'll be trying that in a few minutes.
> 
> If that does work and I get the principal I expect, I'll file a bug.

Hmm, confused still. So I went and did the following in my servlet:

  request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, loginId);
  UsernamePrincipal up = new UsernamePrincipal(loginId);
  request.setAttribute(LoginHandler.PRINCIPAL_KEY, up);
  request.setAttribute(LoginHandler.SUBJECT_KEY, null);

Still seeing the wrong principal come through in the NameID of the response.

Ok, now I see that the first session is there and has the first principal
attached. When the second authentication completes, those are merged into a
single Subject with both principal names in AuthenticationEngine.

Not sure of the reasons for doing that, but how do I clear the first
session? The users are not closing the browser and we're not using SLO to
kill them at the IdP. Is there a proper (supported) way I should use from my
login servlet?

thanks,

Paul