Return trip from IdP after AuthN redirects to incorrect path
cantor.2 at osu.edu
Wed Aug 8 16:00:45 EDT 2018
> According to that team the shibd logs don't show any kind of smoking gun.
> Once this begins to occur it appears to continue until action is taken. They have
> been restarting shibd to mitigate, which appears to work until it occurs again,
> but that's not a sustainable solution.
There are no supported relay state options that could possibly be "fixed" by a restart unless you're pointing it at a database or memcache storage back-end for the relayState setting and it's losing its connection. Otherwise it's cookie, in-memory, or literal and all of those are entirely subject to client, IdP, or load balancer whims, never the SP itself.
It's likely that the restart is a red herring but since you mentioned it, I'm compelled to call that impossible without having done something unusual. My guess is restart correlates to "load balanced node change" and this is a deployment with an insufficiently sticky load balancer relying on in-memory relay state, which is impossible.
More information about the users