intermittent IDP failure

Steven Carmody steven_carmody at
Fri Feb 1 12:54:44 EST 2013

On Feb 1, 2013, at 11:05 AM, "Cantor, Scott" <cantor.2 at> wrote:
>> we currently have a 180 second stickiness at the load balancer. That
>> gets the use thru the initial login. However, some apps (see above)
>> continue to send the user back to the IDP, randomly.
> 180 is not enough for many users to get logged in, but sending you back to
> the IdP cold isn't going to cause this error. It physically can't, because
> that step would include the SAML request.
> The only way this happens is if the login context is not replicated and
> you switch IdPs in the middle of the login process. Or the back button of
> course.

here's what I saw, while sitting, chatting, and watching what another person did.

he logged into a shib-protected  site successfully.

he logged into a second shib-protected site (this one was cluster based, not sharing teh SAML session across machines)

every few minutes, he would tap the enter key

about the 6th or 7th tap on the 2nd app, an IDP error page was displayed.... the error in the logs said (we think) that  the request didn't contain any QUERY parameters. He was definitely not presented with another login page. And didn't use the BACK button.

> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list