Hi Ray, 1. The name was displayed in the client application. The client app retrieves the name from the database, based on the email id sent through the SAML token. Unless the token itself is wrong, it can't retrieve another user's name.
2. Different browsers. The users are in different organisations. 3. It's possible that they were both active at around the same time, but it's unlikely that they shared a router, because their offices are in different parts of town. A related piece of weird behaviour I found was with the pac4j SAML2 integration with an external IdP. One of our customers had given me a temporary username and password on their Active Directory so I could test the login into our client application. Months later, I was still able to log into our application using these credentials, although they had disabled my account on their AD. Something was getting cached along the way, either on my browser or on CAS. I couldn't log in with a new browser. I suspect that there is some caching of data on CAS, and it gets assigned to another user session under certain circumstances. I further think it has something to do with pac4j rather than with core CAS. Regards, Ganesh On Thursday, 7 March 2019 03:40:26 UTC+11, rbon wrote: > > Ganesh, > > Was the place where the name was displayed a CAS page or was it the client > application? > > Was it the same browser (after User1 logged out)? > > Were both users active at the same time, perhaps behind a common router? > > Ray > > On Tue, 2019-03-05 at 19:01 -0800, Ganesh Prasad wrote: > > Hi all, > > This is a serious issue, and I think it may have something to do with > caching. > > I have a user (say User1), who logs into CAS using delegated > authentication against an external IdP using pac4j. > > I have another user (say User2), who belongs to a different organisation, > and who logs into CAS using a local LDAP username and password. > > Today, User2 logged in and saw User1's name displayed on the screen. I > assume that the rest of the profile (based on the SAML token) was also that > of User1. Needless to say, this is a serious issue. > > The problem could not be reproduced, but we have screenshots that prove > that User2 did see User1's name on screen. They had no idea such a user > even existed until they saw it on screen. > > Any ideas why this could be happening? Is there a simple setting to turn > off caching somewhere? I'm hoping it's something as simple as that. > > Regards, > Ganesh > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c83516e-92dd-49f0-bed4-c918216f7a37%40apereo.org.
