Consent and mixed-case UIDs

Takeshi NISHIMURA takeshi at nii.ac.jp
Tue Jul 2 04:42:39 EDT 2019 

Hi Martin,

See: https://issues.shibboleth.net/jira/browse/OSJ-269

and upgrade to 3.4.4 or/and do suggested instructions .

Best regards,
Takeshi

On 2019/07/02 16:46, Martin Haase wrote:
> Hi,
> 
> this is IdP 3.4.3 and we are using a MySQL database with Hikari pooling
> for storedIDs and consent, and sessions. We discovered that pooling goes
> mad, whenever a particular user logs in. This is what's in the logs,
> slightly before the Pool gets dysfunctional:
> 
> 2019-07-01 09:36:01,238 - ERROR
> [org.opensaml.storage.impl.JPAStorageService:349] - Error committing
> transaction
> javax.persistence.RollbackException: Error while committing the transaction
>          at
> org.hibernate.jpa.internal.TransactionImpl.commit(TransactionImpl.java:94)
> Caused by: javax.persistence.PersistenceException:
> org.hibernate.HibernateException: identifier of an instance of
> org.opensaml.storage.impl.JPAStorageRecord was altered from
> intercept/attribute-release:user.name at example.edu:http://sp.edu to
> intercept/attribute-release:User.Name at example.edu:http://sp.edu
> 
>      at
> org.hibernate.event.internal.DefaultFlushEntityEventListener.checkId(DefaultFlushEntityEventListener.java:80)
> 
> Note the change in case of the user id.
> 
> And then the DB goes crazy, and log-in breaks:
> 
> 2019-07-01 09:36:36,324 - ERROR
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper:146] - HikariPool-0 -
> Connection is not available, request timed out after 30000ms.
> 2019-07-01 09:36:36,326 - ERROR
> [org.opensaml.storage.impl.JPAStorageService:335] - Error reading record
> 'another.user at example.edu'  in context 'intercept/terms-of-use'
>     javax.persistence.PersistenceException:
> org.hibernate.exception.JDBCConnectionException: Could not open connection
> 
> 2019-07-01 09:36:36,326 - ERROR
> [net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage:67]
> - Profile Action ReadConsentFromStorage: Unable to read consent from storage
> 
> 2019-07-01 09:36:36,342 - ERROR
> [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:122]
> - Error while generating identifier
> 
> ...and so on. We suspect this very user earlier once had had a
> userPrincipalName of User.Name at example.edu in the AD, and has been
> changed to user.name at example.edu, after she acceped her consent. The
> Pool gets dysfunctional if and only if such a log-in happens.
> 
> What would you advise here? Of course we deleted the records in the DB
> that caused the issue, for a first aid. But then, is there a "disregard
> case" for consent in configuration? idp.consent.userStorageKeyAttribute
> is userPrincipalName directly, so should we use an auxiliary attribute
> that lower-cases the UPN using a script? People running the IdM say they
> actually don't do this case-change, but I guess this error could happen
> again nonetheless.
> 
> Regards
> 
> Martin

More information about the users mailing list