Authn Error - IdP v3

Pradeep Jamble pjamble at
Sat May 7 20:22:27 EDT 2016

Th X509 flow is enabled globally in '' and the flow
descriptor has been defined in 'general-authn.xml'. The initial authn works
fine with client certs but once I go past the prompt i.e. x509-prompt.jsp,
I get the warning and error message.

The authentication succeeds and I can SSO to the application but I think
the IdP is unable to store the session. To test this, I just deleted the
application cookies and then tried to login again. It prompted me for the
cert again even though I had my idp session active.

Here's the log:

2016-05-07 23:52:59,059 - DEBUG
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:561] - Saving
AuthenticationResult for flow authn/X509 in session
2016-05-07 23:52:59,060 - WARN
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:565] - No flow
descriptor installed for ID authn/X509, unable to save result to storage
2016-05-07 23:52:59,074 - ERROR
- Profile Action UpdateSessionWithAuthenticationResult: Error creating
session for principal jdoe
net.shibboleth.idp.session.SessionException: Unable to save
AuthenticationResult to storage
2016-05-07 23:52:59,084 - DEBUG
- Profile Action InitializeAuthenticationContext: Created authentication
context: AuthenticationContext{initiationInstant=2016-05-07T23:52:59.084Z,
isPassive=false, forceAuthn=false, hintedName=null, potentialFlows=[],
activeResults=[], attemptedFlow=null, signaledFlowId=null,
authenticationStateMap={}, resultCacheable=true,
Corp, authenticationInstant=2016-05-07T23:52:58.721Z,
lastActivityInstant=2016-05-07T23:52:58.721Z}, authenticationResult=null,

Any reason this could happen? I do have the MCB configured in my test
environment but I don't think that would interfere with the initial or x509
authn. Just sharing ...


On Thu, May 5, 2016 at 7:44 PM, Cantor, Scott <cantor.2 at> wrote:

> > Has anyone seen this error before? I have defined x509 as the 'initial'
> authn
> > method.
> I can't think of any scenario where that would make sense.
> > The authentication works fine but I see this error in the debug logs.
> > I've already defined and enabled the authn flow but for some reason the
> > warning message says 'no flow descriptor'.
> You can't set the initial flow to something that isn't enabled overall in
> the primary property.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list