Shibboleth Service Provider - Troubleshooting

This resource is used to track issues that you may encounter as an administrator to a Shibboleth service provider in the CSU Federation. Please use this to help in troubleshooting.

Applicable To

Admins of CSU System Service Providers in the CSU Federation

Prerequisites

CSU System IT manage Shibboleth Service Providers for CSU System sites

Address Checking Error

Problem:

Users generate a browser error when trying to use single sign-on to authenticate into your application:

2024-02-29 09:31:57 WARN Shibboleth.SSO.SAML2 [59] [default]: detected a problem with assertion: Your client's current address (129.82.XX.XX) differs 
from the one used when you authenticated to your identity provider. To correct this problem, you may need to bypass a proxy server. Please contact your 
local support staff or help desk for assistance.

This mismatch typically happens when a user's client is behind a proxy, VPN, or similar network device. These devices route traffic in a way that the web servers see different addresses. It's often referred to as "split tunneling" and occurs when only certain traffic is routed through the device.

Solution:

Change the checkAddress setting in your Shibboleth Service Provider to disable this check. (NOTE: Shibboleth restart required to apply change)

Find + open your shibboleth2.xml configuration file
- IIS: \opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
- Linux: /etc/shibboleth/shibboleth2.xml

Modify the sessions element to add/change the checkAddress property, disabling it by setting it to false

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" 
                  consistentAddress="true" 
                  handlerSSL="true" 
                  cookieProps="; path=/; secure; HttpOnly domain=csudomain.colostate.edu" 
                  redirectLimit="exact">

NOTE: If your service provider manages multiple websites, this modification must be completed in each Sessions element for the affected site(s).

Save
Restart the Shibboleth service
- IIS: Services > Shibboleth Daemon > Right Click > Restart
- Linux: systemctl restart shibd
Test by authenticating through a private/incognito window

Looping

Problem:

A user reaches the SSO login page, correctly enters credentials, and then quickly begins ‘looping’ through attempts to create new authentication sessions. Both the service provider (SP) and identity provider (IdP) show a rapid succession of new sessions being created indefinitely until the user ends their browser session.

Service Provider Logs:

2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_736433175ee0876317fe536c67b34af7) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_c28810aba3e445b5a0af55285703267f) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_83e52f6202d4874d511d3284affebf8f) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_964eb444af18c4e8c7fe3fe90d1a9f07) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_2ef51666d533ad3ad98442771fdf1a75) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_ccb4ce7655318fdb398b53f8e62dd4d1) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)
2023-03-08 12:32:50 INFO Shibboleth.SessionCache [1] [arieswebnew.colostate.edu]: new session created: ID (_9f724ecb89468ba210e4a07fe9822b74) IdP (https://shibidp.colostate.edu/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (129.82.103.25)

Solution:

There could be different components causing this, but a common cause can be an incorrect domain value in the Sessions tag of your service provider configuration. (NOTE: Shibboleth restart required to apply change)

Find + open your shibboleth2.xml configuration file
- IIS: \opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
- Linux: /etc/shibboleth/shibboleth2.xml
Modify the sessions element to change the domain property to the highest common denominator for all endpoints/websites protected by your service provider.
- Example: if your service provider protects both dev.ariesweb.colostate.edu and dev.ramweb.colostate.edu, your domain element should be .colostate.edu.
- ```
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" consistentAddress="true" 
cookieProps="; path=/; secure; HttpOnly; domain=.colostate.edu" redirectLimit="exact">
```
Restart the Shibboleth service
- IIS: Services > Shibboleth Daemon > Right Click > Restart
- Linux: systemctl restart shibd
Test by authenticating through a private/incognito window