Shibboleth IDP Race Condition
cneberg
cneberg at gmail.com
Wed Apr 16 18:10:23 EDT 2014
I've got an issue that a shibboleth protected website is pulling in
javascript content from a second site both sites are protected with a
shibboleth SP - all configured to only use the artifact profile and HTTP
basic auth at the shibboleth IDP. The browser asks for multiple
JavaScript include files all hosted on the second site simultaneously.
Since the user doesn’t have any cookies for the second site - each requests
triggers an authentication request against the shibboleth IDP. It seems
to be a race condition which requests succeed and which fail (I would
expect all of them to succeed). I the request fails it dies at
<idp>/idp/profile/SAML2/Redirect/SSO or <idp>/idp/Authn/RemoteUser with a
status 200 and content like below.
<html>
<body>
<img src="/idp/images/logo.jpg" />
<h3>ERROR</h3>
<p>
An error occurred while processing your request. Please
contact your helpdesk or
user ID office for assistance.
</p>
<p>
This service requires cookies. Please ensure that they are
enabled and try your
going back to your desired resource and trying to login again.
</p>
<p>
Use of your browser's back button may cause specific errors that
can be resolved by
going back to your desired resource and trying to login again.
</p>
<p>
If you think you were sent here in error,
please contact technical support
</p>
<strong>Error Message: Error decoding authentication request
message</strong>
</body>
</html>
and the IDP Process log contains.
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:400]
- Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or
SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message at
org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:98)
~[opensaml-2.6.0.jar/:na] at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
~[openws-1.5.0.jar/:na] at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
~[opensaml-2.6.0.jar/:na] at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:386)
[shibboleth-identityprovider-2.4.0.jar/:na] at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:211)
[shibboleth-identityprovider-2.4.0.jar/:na] at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:189)
[shibboleth-identityprovider-2.4.0.jar/:na] at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90)
[shibboleth-identityprovider-2.4.0.jar/:na] at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.4.0.jar/:na] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:847) ....
Or this
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:217] -
No login context available, unable to proceed with authentication
I've got a python script which makes multiple simultaneous requests to
shibboleth and triggers multiple errors every time if you want a copy.
-Christopher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140416/6fd69a53/attachment.html
More information about the users
mailing list