Errors seen in shibd.log 'replay detected of message ID'

Nate Klingenstein ndk at signet.id
Wed May 8 08:11:40 EDT 2019


arrk,

There are multiple potential causes of that error, but the most common would be the user clicking the back button right after login has completed.  If you can rule that out, we can talk about some of the more esoteric possibilities.  The IdP error will be much better elucidated(hopefully) if you turn your logging up to DEBUG for the root category in shibd.logger.  You'll at least get the response logged, which will have the SAML status code, which may or may not prove useful.  Your ultimate answer on that one is going to be on the IdP side and hopefully in the IdP's logs.

Hope this helps,
Nate.
 
-----Original message-----
> From: arrk_shoba
> Sent: Wednesday, May 8 2019, 5:50 am
> To: users at shibboleth.net
> Subject: Errors seen in shibd.log 'replay detected of message ID'
> 
> 
> 
> Hi,
> 
> We are multi-tenant application allowing login via multiple IDP. Most of those are Shibboleth IDP and some are using ADFS. Off-late, we see frequent errors in the shibd.log for ADFS providers:
> 
> 2019-05-04 12:49:53 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [1] [SP URL]: replay detected of message ID (_f3ce22fe-1c01-41c5-9e18-205b77b04b73)
> 2019-05-04 12:49:53 WARN Shibboleth.SSO.SAML2 [1] [SP URL]: error processing incoming assertion: Rejecting replayed message ID (_f3ce22fe-1c01-41c5-9e18-205b77b04b73).
> 2019-05-04 12:49:55 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [3] [SP URL]: replay detected of message ID (_f3ce22fe-1c01-41c5-9e18-205b77b04b73)
> 2019-05-04 12:49:55 WARN Shibboleth.SSO.SAML2 [3] [SP URL]: error processing incoming assertion: Rejecting replayed message ID (_f3ce22fe-1c01-41c5-9e18-205b77b04b73).
> 
> For few of the requests, we seen following errors as well:
> 2019-05-07 13:42:53 WARN Shibboleth.SSO.SAML2 [2] [SP URL]: error processing incoming assertion: SAML response reported an IdP error.
> 
> Is there any configuration at SP side that we must be checking to address these issues?
> 
> -----------
> 
> Sent from the Shibboleth - Users mailing list archive <http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html> at Nabble.com.
> 
> --
> 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> 


More information about the users mailing list