Authn Error - IdP v3

Pradeep Jamble pjamble at gmail.com
Sat May 7 20:22:27 EDT 2016 

Th X509 flow is enabled globally in 'idp.properties' and the flow
descriptor has been defined in 'general-authn.xml'. The initial authn works
fine with client certs but once I go past the prompt i.e. x509-prompt.jsp,
I get the warning and error message.

The authentication succeeds and I can SSO to the application but I think
the IdP is unable to store the session. To test this, I just deleted the
application cookies and then tried to login again. It prompted me for the
cert again even though I had my idp session active.

Here's the log:

2016-05-07 23:52:59,059 - DEBUG
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:561] - Saving
AuthenticationResult for flow authn/X509 in session
c29d5fab467ca337462c235dc605395e0f357f5b23d9c0f3b5f1d794c18bc7d6
2016-05-07 23:52:59,060 - WARN
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:565] - No flow
descriptor installed for ID authn/X509, unable to save result to storage
2016-05-07 23:52:59,074 - ERROR
[net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:178]
- Profile Action UpdateSessionWithAuthenticationResult: Error creating
session for principal jdoe
net.shibboleth.idp.session.SessionException: Unable to save
AuthenticationResult to storage
    at
net.shibboleth.idp.session.impl.StorageBackedIdPSession.addAuthenticationResult(StorageBackedIdPSession.java:216)
2016-05-07 23:52:59,084 - DEBUG
[net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:115]
- Profile Action InitializeAuthenticationContext: Created authentication
context: AuthenticationContext{initiationInstant=2016-05-07T23:52:59.084Z,
isPassive=false, forceAuthn=false, hintedName=null, potentialFlows=[],
activeResults=[], attemptedFlow=null, signaledFlowId=null,
authenticationStateMap={}, resultCacheable=true,
initialAuthenticationResult=AuthenticationResult{authenticationFlowId=authn/X509,
authenticatedPrincipal=1.2.840.113549.1.9.1=#1612706a616d626c6540616b616d61692e636f6d,CN=jdoe,OU=ff_JDoe,O=Acme
Corp, authenticationInstant=2016-05-07T23:52:58.721Z,
lastActivityInstant=2016-05-07T23:52:58.721Z}, authenticationResult=null,
completionInstant=1970-01-01T00:00:00.000Z}

Any reason this could happen? I do have the MCB configured in my test
environment but I don't think that would interfere with the initial or x509
authn. Just sharing ...

Regards,
Pradeep

On Thu, May 5, 2016 at 7:44 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > Has anyone seen this error before? I have defined x509 as the 'initial'
> authn
> > method.
>
> I can't think of any scenario where that would make sense.
>
> > The authentication works fine but I see this error in the debug logs.
> > I've already defined and enabled the authn flow but for some reason the
> > warning message says 'no flow descriptor'.
>
> You can't set the initial flow to something that isn't enabled overall in
> the primary property.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160507/5d68a0b7/attachment.html>

More information about the users mailing list