Client persistent storage not remembering user
Thomas Colin de Verdière
tdeverdiere at kapit.fr
Tue Mar 6 09:30:27 EST 2018
Hello,
I am using Shibboleth 3.3.2. JDK 8. And testing on Firefox 58.0.2
I am facing 2 problems that may be linked. The logout 'SAML Logout' is not
working : it goes on the page where SP are logged out, but the icons in
front of the SPs never goes green.
The second problem is that sessions are not retrieved between 2 logins
attempted. Here is the test i do:
- Go to the SP that redirects to Shibboleth login page
- Log in, and Shibboleth redirect to the SP via the
client-storage/client-storage-write.vm page. I saw it briefly, and i can
confirm because i see in the browser local storage : shib_idp_session_ss.
- I close the browser
- I reopen it and go to the SP.
- It redirects to the Idp login page without retrieving the older session.
--------------------
I see the browser is redirected to /client-storage/client-storage-read.vm,
template because i remove the <body onload="doLoad()"> and put a button :
<button onclick="doLoad()">Load stored session</button>
- A request is send to https://localhost/idp/profile/
SAML2/POST/SSO;jsessionid=23F5A89297C2949B63A6272AD436DC07?execution=e1s1
With the following parameters :
_eventId_proceed:
shib_idp_ls_exception.shib_idp_persistent_ss:
shib_idp_ls_exception.shib_idp_session_ss:
shib_idp_ls_success.shib_idp_persistent_ss: true
shib_idp_ls_success.shib_idp_session_ss: true
shib_idp_ls_supported: true
shib_idp_ls_value.shib_idp_persistent_ss: AAdzZWNyZXQxXTJAwO6qpdbaEa3iu5
hNQ989Exr5i3HBeOXzhX0OSvOn680Lf0tn73MWLc1vqLYgCglkFHq4IYDMCO
LyYPFlt6xQkFo70LbSmdChHuoV7vFsRVBwBxlOpxRatrtIRTAwmYOuzg7fcd
/xomLQlWHPUHlA29gqSfs5J+TnuvR4mb5rV/W+1nr6k5IRGzFwW2gBa9fDqIAdf2WIVXG+
qYlEhwefNou2yIpRIeRekSf0GxLNAhQG+4CNruvTMpT0DgvnxQrGG09c04d20OP9s/
699yoZfhUWlHJN15D9wVuMIfDzMHprR2DqxHfzm3EysqrSb91FMwtLzMTc7a3fNm5jG/
RdSWKtOXK1Bhj9lG95NWrxfCk3ngtNpiqODR5NXC+5sFYIXtaK0z89J7fBGozOkuSV3Snnf
h0nKMY44yPAnCKxITUPfroZ5EdLwEhE8fqbVTDobyYjSG/M5wdIY+
7qY4chDP+chUwWdCqvh9EjqyIU+7FgQWUH…wg9yfUrkqQphjHgHVEkllnILm2Pa4/
17VkEK3CtNRcvXQXINz77N0aaJtPPrUemtvMUXn6YmWL9pldrqmeiWa3K0LfMAIL+
vK5dI1ksC9kDINGDlH2TQfrqtLDpFlFBnn1DEg+eHBUXUSvyMw/
OkBJDHuMHtnjdWiUCD8YVBmWAtD15vJNIOKpDpthkSkbbPZyKZMNU07ag+
Iafvxii9JcjqSRQAljAKkpXQXeh/ZVeSpjVTmVTrXQrmKuY9vEF46azkQ5EVfOf/nvgdq+
mTvNC3nINSlQNtfCWAJ/W2kLC3n8q+wuolf8kMgzfRVIxjxPrVwSn2gDFYjd
cLUpsC9N3otzzF7D/ljvSSPiiw6sd7es9Ew1TWSrQ1XVghc
TDz683jwwZn4AZXLkN7silkAmgd9EJ8eECyJbDMJ9QsaFCPZx1nrfSLE9NlRIaYIzG/3tiJFK+
z5qoVmxppMHTSelTI7K0Wpn77GIMJcCk5nE0A9W4B9Rucdx6wFFUhTk=
shib_idp_ls_value.shib_idp_session_ss:
As i see shib_idp_persistent_ss is not stored the first time in
client-storage-write.vm, may be that is the problem ?
--------------------
Here are the idp.properties details. I configured it this way to use the
'SAML Logout' as in https://wiki.shibboleth.net/confluence/display/IDP30/
LogoutConfiguration. And i put idp.session.maskStorageFailure = false,
wishing to have more debug info but it does not give me what i expected.
idp.additionalProperties= /conf/ldap.properties,
/conf/saml-nameid.properties, /conf/services.properties,
/conf/authn/duo.properties
idp.entityID= https://localhost:443/idp/shibboleth
idp.scope= localhost
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.sealer.storePassword= xxxxx (removed for safety)
idp.sealer.keyPassword= xxxxx (removed for safety)
idp.signing.key= %{idp.home}/credentials/idp-signing.key
idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
idp.storage.htmlLocalStorage = true
idp.session.StorageService = shibboleth.ClientPersistentStorageService
idp.session.maskStorageFailure = false
idp.session.trackSPSessions = true
idp.session.secondaryServiceIndex = true
idp.authn.flows= Password
idp.logout.authenticated = true
idp.ui.fallbackLanguages= en,fr,de
--------------------
I have lots of server logs because i put every logger in DEBUG. I can give
more logs if needed. Here are an extract of the ones just after clicking on
the 'Load stored session' button :
2018-03-06 14:40:01,755 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:865] - DispatcherServlet
with name 'idp' processing POST request for
[/idp/profile/SAML2/POST/SSO;jsessionid=A17C5D1A983E976538092F60C17D0DE8]
2018-03-06 14:40:01,755 - DEBUG
[org.springframework.webflow.mvc.servlet.FlowHandlerMapping:108] - Mapping
request with URI
'/idp/profile/SAML2/POST/SSO;jsessionid=A17C5D1A983E976538092F60C17D0DE8'
to flow with id 'SAML2/POST/SSO'
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.executor.FlowExecutorImpl:161] - Resuming flow
execution with key 'e1s1
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager:75]
- Locking conversation 1
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository:106]
- Getting flow execution with key 'e1s1'
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:58]
- Getting FlowDefinition with id 'SAML2/POST/SSO'
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:58]
- Getting FlowDefinition with id 'client-storage/read'
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.execution.factory.ConditionalFlowExecutionListenerLoader:85]
- Loaded [1] of possible 1 listeners for this execution request for flow
'SAML2/POST/SSO', the listeners to attach are
list[net.shibboleth.idp.profile.support.ProfileRequestContextFlowExecutionListener at 1338a5f5
]
2018-03-06 14:40:01,756 - DEBUG
[org.springframework.webflow.engine.impl.FlowExecutionImpl:250] - Resuming
in org.springframework.webflow.mvc.servlet.MvcExternalContext at 2a92f85b
2018-03-06 14:40:01,757 - DEBUG
[org.springframework.webflow.mvc.view.AbstractMvcView:224] - Processing
user event 'proceed'
2018-03-06 14:40:01,757 - DEBUG
[org.springframework.webflow.mvc.view.AbstractMvcView:246] - No model to
bind to; done processing user event
2018-03-06 14:40:01,757 - DEBUG
[org.springframework.webflow.engine.ViewState:229] - Event 'proceed'
returned from view [ServletMvcView at 25a61ea4 view =
org.springframework.web.servlet.view.velocity.VelocityView: name
'/client-storage/client-storage-read'; URL
[/client-storage/client-storage-read.vm]]
2018-03-06 14:40:01,757 - DEBUG
[org.springframework.webflow.engine.Transition:214] - Executing
[Transition at 1543535e on = proceed, to = LoadClientStorageServices]
2018-03-06 14:40:01,757 - DEBUG
[org.springframework.webflow.engine.Transition:222] - Exiting state
'LocalStorageRead'
2018-03-06 14:40:01,758 - DEBUG
[org.springframework.webflow.engine.ActionState:189] - Entering state
'LoadClientStorageServices' of flow 'client-storage/read'
2018-03-06 14:40:01,758 - DEBUG
[org.springframework.webflow.execution.ActionExecutor:49] - Executing
[EvaluateAction at 5041df92 expression = LoadClientStorageServices,
resultExpression = [null]]
2018-03-06 14:40:01,758 - DEBUG
[org.springframework.webflow.execution.AnnotatedAction:142] - Putting
action execution attributes map[[empty]]
2018-03-06 14:40:01,758 - DEBUG
[org.springframework.beans.factory.support.DefaultListableBeanFactory:448]
- Creating instance of bean 'LoadClientStorageServices'
2018-03-06 14:40:01,758 - DEBUG
[org.springframework.beans.factory.support.DefaultListableBeanFactory:251]
- Returning cached instance of singleton bean
'shibboleth.HttpServletRequest'
2018-03-06 14:40:01,792 - DEBUG
[org.springframework.beans.factory.support.DefaultListableBeanFactory:251]
- Returning cached instance of singleton bean
'shibboleth.ClientStorageServices'
2018-03-06 14:40:01,793 - DEBUG
[org.springframework.beans.factory.support.DefaultListableBeanFactory:1678]
- Invoking init method 'initialize' on bean with name
'LoadClientStorageServices'
2018-03-06 14:40:01,793 - DEBUG
[org.springframework.beans.factory.support.DefaultListableBeanFactory:484]
- Finished creating instance of bean 'LoadClientStorageServices'
2018-03-06 14:40:01,793 - DEBUG
[org.springframework.webflow.execution.ActionExecutor:49] - Executing
net.shibboleth.idp.profile.impl.WebFlowProfileActionAdaptor at 617f2bd0
2018-03-06 14:40:01,797 - DEBUG
[org.springframework.webflow.execution.ActionExecutor:53] - Finished
executing
net.shibboleth.idp.profile.impl.WebFlowProfileActionAdaptor at 617f2bd0;
result = null
Thank you
Thomas
<http://www.iobeya.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180306/6207f631/attachment.html>
More information about the users
mailing list