Unexpected Shibboleth Session Removal

mmccarthy at tribloom.com mmccarthy at tribloom.com
Thu Sep 4 16:02:49 EDT 2014 

I am running Alfresco, an open source web based ECM, behind Shibboleth 
(Apache 2). Alfresco has quite a few XML HTTP requests (AJAX). 
Occasionally, we can't discern any reason as to when, we are seeing a 
page fail to completely load. When this happens it appears that the 
session has been dropped on the SP side and the SP fails to send a SAML 
POST to the IDP. I have exhausted my (limited) knowledge on the subject 
and could really use some help troubleshooting the issue.

On failure, the shibd.log on the SP has (identifying information removed):
2014-09-04 07:46:58 INFO Shibboleth.SessionCache [3]: new session 
created: ID (_8afc83602ee907b1e83992c61fef98dd) IdP 
(https://idp.domain.com/) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) 
Address (10.0.135.18)
2014-09-04 07:46:58 DEBUG Shibboleth.SSO.SAML2 [3]: ACS returning via 
redirect to: https://server.domain.com/share/page/repository
2014-09-04 07:47:59 INFO Shibboleth.SessionCache [6]: removed session 
(_8afc83602ee907b1e83992c61fef98dd)
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
validating input
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
marshalling, deflating, base64-encoding the message
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
marshalled message:
...<cut>
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
message encoded, sending redirect to client
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
validating input
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
marshalling, deflating, base64-encoding the message
2014-09-04 07:47:59 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [6]: 
marshalled message:

I notice that a "normal" successful interaction is more like this (note 
the SAML2POST):
2014-09-04 11:39:24 INFO Shibboleth.SessionCache [2]: removed session 
(_32645b3099cdfa688622954b1ac4a8c9)
2014-09-04 11:39:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]: 
validating input
2014-09-04 11:39:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]: 
marshalling, deflating, base64-encoding the message
2014-09-04 11:39:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]: 
marshalled message:
...<cut>
2014-09-04 11:39:24 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2]: 
message encoded, sending redirect to client
2014-09-04 11:39:27 DEBUG OpenSAML.MessageDecoder.SAML2POST [1]: 
validating input
2014-09-04 11:39:27 DEBUG OpenSAML.MessageDecoder.SAML2POST [1]: decoded 
SAML message:
...<cut>

The failed authentication shows the following on the IdP side:
15:29:32.931 - WARN 
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:371] 
- Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest 
or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message

The end result is errors like this in the browser:
XMLHttpRequest cannot load 
https://idp.server.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZLNbsI...HwkNM%2BoQm3cjleSTf&RelayState=ss%3Amem%3Ae674cf026df847cbc8da26f02260ad0c 
<https://idp.stanford.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZLNbsIwEIRfJfKdOBhowSKRUjgUiRZEaA%2B9VE68AUuOnXqd%2Frx9A6EtXOjVnv1mZ7RTFJWuedr4vdnAWwPog89KG%2BTHj5g0znArUCE3ogLkvuBZ%2BrDkLIx47ay3hdUkSBHBeWXNzBpsKnAZuHdVwNNmGZO99zVySneY9wprPBgfohemtE6GIBua7VWeWw1%2BHyJaeuAzul5lWxLM24WUEQf0H0jJ%2BhLQPtB2mVJpOE1vQCoHhadZtiLBYh6TVzES8lbmw9GgLEsW5QDsBkZSjpkcDFk5aWWIDSzMAe1jwqL%2BsBdNetFgyxjvMx6NX0iwPmW%2BU0Yqs7teUN6JkN9vt%2Btel%2BgZHB7TtAKSTA8186OxOyv%2BOlb8tE2Sf7vF326n9MyrM675YwtfzNdWq%2BIrSLW2HzMHwkNM%2BoQm3cjleSTf&RelayState=ss%3Amem%3Ae674cf026df847cbc8da26f02260ad0c>. 
No 'Access-Control-Allow-Origin' header is present on the requested 
resource. Origin 'https://server.domain.com 
<https://gsb-content.stanford.edu/>' is therefore not allowed access.

The above error causes all kinds of errors in the browser since it is 
usually a JavaScript file that needs to be present for the rest of the 
page to function correctly.

During testing I have set my session lifetime to 60 and timeout to 30. 
When I raised this up to the defaults (28800 and 3600 respectively), I 
was still seeing errors more frequently than every hour.

1. Will raising the lifetime and/or timeout help to solve the problem?
2. Is the session timeout/removal really the cause of my problem?
3. Is there any obvious error, debugging, or configuration that I should 
look at to troubleshoot this issue?

Many thanks!
-- 
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140904/02439331/attachment.html

More information about the users mailing list