External authentication: login context key issue

Erdos, Marlena marlena_erdos at harvard.edu
Wed Feb 27 18:16:12 EST 2013

Hi all,

I've using the external authentication facility.   Which I had working,
but now it's failing (after I changed some things :-)) and I'm not sure
why. I'm hoping you can help.

Executive summary: 
The IdP (version 2.3.8) is now complaining about the LoginContext key
cookie not being set.  I didn't set it in the past, and didn't previously
get a failure.

The Details:

Until recently, my  embedded-with-the-idp  external authentication
servlets were small: The IdP invoked the "invoke" servlet which redirected
the user to an intermediate app which interacted with the backend
authentication system to verify the user.  The intermediate app then
redirected to my "callback" servlet.    The only thing it set on the
redirect was the parameter "principal" (with the user's id as a value.)

(BTW, I based my servlets on  Unicom external authentication code that
calls out to CAS (https://github.com/Unicon/shib-cas-authenticator).
(Thank you, Unicom!)

Here's the code for the callback servlet:

protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {

                 String authenticatedPrincipalName =

    AuthenticationEngine.returnToAuthenticationEngine(request, response);


This worked just fine.  As you can see, I'm only setting
PRINCIPAL_NAME_KEY on the login handler.  I'm not touching LoginContext.

Now, I've gotten rid of the intermediate app.  The invoke servlet
redirects the user to the backend authN system.  That system (on
successful login) redirects to the callback servlet.

The callback servlet is now doing the "heavy lifting" that the
intermediate app did before -- which is  to verify a digitally signed
token sent by the authN system on the query string.  In fact, there's a
bunch of stuff on the query string -- but it isn't huge.

As far as I can tell I'm doing the "return to authentication engine" in
just the same way as before-- except that the request has material on the
query string from the backend system.   Here's the current code (with the
token validate material deleted):

protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {

// Elided code that validates the query string token from the backend
authN system.

// Extract "userID" from the token (and it's fine.)

    request.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, userID);
    AuthenticationEngine.returnToAuthenticationEngine(request, response);


This fails with the logs being as follows:

16:31:04.731 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] -
Returning control to authentication engine
16:31:04.732 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:325] -
LoginContext key cookie was not present in request
16:31:04.732 - WARN
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:147] -
No login context available, unable to return to authentication engine
16:31:04.800 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:325] -
LoginContext key cookie was not present in request

What am I doing wrong?  And what should I do?  (The userID was set
properly -- though that doesn't seem to matter.)

It occurred to me to create a new "request" object but I wasn't sure about
what to do there.

(BTW, I tried to look at the code in the IdP for
returnToAuthenticationEngine but I think I'm looking at the wrong thing.
Here's what I looked at:


I think I'm looking at the wrong thing because the log message in that
code doesn't match what I'm seeing in the logs.  Here's the relevant bit
from the above:

99        LoginContext loginContext = (LoginContext)
100        if (loginContext == null) {
101            LOG.error("User HttpSession did not contain a login
context.  Unable to return to authentication engine");
102            forwardRequest("/idp-error.jsp", httpRequest, httpResponse);

Thanks so much!

More information about the users mailing list