Consent and mixed-case UIDs

Martin Haase Martin.Haase at DAASI.de
Tue Jul 2 03:46:58 EDT 2019 

Hi,

this is IdP 3.4.3 and we are using a MySQL database with Hikari pooling
for storedIDs and consent, and sessions. We discovered that pooling goes
mad, whenever a particular user logs in. This is what's in the logs,
slightly before the Pool gets dysfunctional:

2019-07-01 09:36:01,238 - ERROR
[org.opensaml.storage.impl.JPAStorageService:349] - Error committing
transaction
javax.persistence.RollbackException: Error while committing the transaction
        at
org.hibernate.jpa.internal.TransactionImpl.commit(TransactionImpl.java:94)
Caused by: javax.persistence.PersistenceException:
org.hibernate.HibernateException: identifier of an instance of
org.opensaml.storage.impl.JPAStorageRecord was altered from
intercept/attribute-release:user.name at example.edu:http://sp.edu to
intercept/attribute-release:User.Name at example.edu:http://sp.edu

    at
org.hibernate.event.internal.DefaultFlushEntityEventListener.checkId(DefaultFlushEntityEventListener.java:80)

Note the change in case of the user id.

And then the DB goes crazy, and log-in breaks:

2019-07-01 09:36:36,324 - ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146] - HikariPool-0 -
Connection is not available, request timed out after 30000ms.
2019-07-01 09:36:36,326 - ERROR
[org.opensaml.storage.impl.JPAStorageService:335] - Error reading record
'another.user at example.edu'  in context 'intercept/terms-of-use'
   javax.persistence.PersistenceException:
org.hibernate.exception.JDBCConnectionException: Could not open connection

2019-07-01 09:36:36,326 - ERROR
[net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage:67]
- Profile Action ReadConsentFromStorage: Unable to read consent from storage

2019-07-01 09:36:36,342 - ERROR
[org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:122]
- Error while generating identifier

...and so on. We suspect this very user earlier once had had a
userPrincipalName of User.Name at example.edu in the AD, and has been
changed to user.name at example.edu, after she acceped her consent. The
Pool gets dysfunctional if and only if such a log-in happens.

What would you advise here? Of course we deleted the records in the DB
that caused the issue, for a first aid. But then, is there a "disregard
case" for consent in configuration? idp.consent.userStorageKeyAttribute
is userPrincipalName directly, so should we use an auxiliary attribute
that lower-cases the UPN using a script? People running the IdM say they
actually don't do this case-change, but I guess this error could happen
again nonetheless.

Regards

Martin




-- 
Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: martin.haase at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

More information about the users mailing list