Consent and mixed-case UIDs

Martin Haase Martin.Haase at
Tue Jul 2 03:46:58 EDT 2019


this is IdP 3.4.3 and we are using a MySQL database with Hikari pooling
for storedIDs and consent, and sessions. We discovered that pooling goes
mad, whenever a particular user logs in. This is what's in the logs,
slightly before the Pool gets dysfunctional:

2019-07-01 09:36:01,238 - ERROR
[] - Error committing
javax.persistence.RollbackException: Error while committing the transaction
Caused by: javax.persistence.PersistenceException:
org.hibernate.HibernateException: identifier of an instance of was altered from
intercept/ at to
intercept/attribute-release:User.Name at


Note the change in case of the user id.

And then the DB goes crazy, and log-in breaks:

2019-07-01 09:36:36,324 - ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146] - HikariPool-0 -
Connection is not available, request timed out after 30000ms.
2019-07-01 09:36:36,326 - ERROR
[] - Error reading record
'another.user at'  in context 'intercept/terms-of-use'
org.hibernate.exception.JDBCConnectionException: Could not open connection

2019-07-01 09:36:36,326 - ERROR
- Profile Action ReadConsentFromStorage: Unable to read consent from storage

2019-07-01 09:36:36,342 - ERROR
- Error while generating identifier

...and so on. We suspect this very user earlier once had had a
userPrincipalName of User.Name at in the AD, and has been
changed to at, after she acceped her consent. The
Pool gets dysfunctional if and only if such a log-in happens.

What would you advise here? Of course we deleted the records in the DB
that caused the issue, for a first aid. But then, is there a "disregard
case" for consent in configuration? idp.consent.userStorageKeyAttribute
is userPrincipalName directly, so should we use an auxiliary attribute
that lower-cases the UPN using a script? People running the IdM say they
actually don't do this case-change, but I guess this error could happen
again nonetheless.



Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: martin.haase at

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

More information about the users mailing list