Shibboleth SP session storage issue

Spencer Thomas Spencer.Thomas at ithaka.org
Mon Apr 13 10:02:36 EDT 2020 

Cathy, This may or may not be your issue.  When we upgraded from SP2 to SP3, we had to make changes to several config files. We had several symptoms, but one of them looked very much like what you are reporting.

In shibboleth2.xml,
    <Sessions checkAddress="false" handlerSSL="false" lifetime="28800" relayState="ss:mem" timeout="3600">
changed to
    <Sessions checkAddress="false" lifetime="28800" relayState="ss:mem" timeout="3600" redirectLimit="host" cookieProps="; path=/; HttpOnly" handlerSSL="false" consistentAddress="false">

Some of these are unique to our setup, such as handlerSSL=”false” because we are inside a VPN where SSL is handled at the boundary.
consistentAddress=”false” because we are fronted by an AWS ELB and requests can come from multiple apparent IP addresses – this was critical to getting it to work consistently.

Also important, because we are using AJP to connect to our back-end Java app from Apache was this change to the Tomcat server.xml.

-    <Connector port="8009" protocol="AJP/1.3"  redirectPort="8443" tomcatAuthentication="false"/>
+    <Connector port="8009" protocol="AJP/1.3"  redirectPort="8443" tomcatAuthentication="false" secretRequired="false"  allowedRequestAttributesPattern=".*"/>


--
Spencer Thomas
Technical Architect / JSTOR and Artstor
ITHAKA<https://www.ithaka.org/> / 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
Email: Spencer.Thomas at ithaka.org<mailto:Spencer.Thomas at ithaka.org>
Voicemail: 734-887-7004






From: users <users-bounces at shibboleth.net> on behalf of Cathy Scott cathystill at gmail.com<mailto:cathystill at gmail.com>

Reply-To: Shib Users <users at shibboleth.net>
Date: Monday, April 13, 2020 at 9:40 AM
To: Shib Users <users at shibboleth.net>
Subject: Shibboleth SP session storage issue

Hello all,

Hoping to get assistance with a session state issue.  Users are successfully authenticating but the session is almost immediately removed. Shib SP v3.0.4.1, upgraded from v2. Here are selected log examples. Any assistance would be greatly appreciated, thanks.

native_warn.log
2020-04-13 07:31:36 ERROR Shibboleth.Apache [2372] shib_check_user: Unable to obtain session to export to request.
2020-04-13 07:33:14 ERROR Shibboleth.Listener [2372] shib_check_user [default]: remoted message returned an error: Your session is not available in the session store, and you must re-authenticate.
2020-04-13 07:42:59 ERROR Shibboleth.Apache [2372] shib_handler: Failure sending remoted message (default/SAML2/POST).
2020-04-13 07:43:31 ERROR Shibboleth.Apache [2372] shib_check_user: Failure sending remoted message (set::RelayState).

shibd.log
2020-04-13 07:29:52 INFO Shibboleth.SessionCache [2] [default]: new session created: ID (_d7acbb8046b19034e92a0f7aade41ecd) IdP (https://clienturl/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.6)
2020-04-13 07:29:53 INFO Shibboleth.SessionCache [2] [default]: removed session (_d7acbb8046b19034e92a0f7aade41ecd)
2020-04-13 07:31:24 INFO Shibboleth.SessionCache [4] [default]: new session created: ID (_f140df61cc28d15ba00aac901ad6e131) IdP (https://clienturl/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.6)
2020-04-13 07:31:27 INFO Shibboleth.SessionCache [4] [default]: removed session (_f140df61cc28d15ba00aac901ad6e131)
2020-04-13 08:13:43 INFO Shibboleth.SessionCache [1] [default]: new session created: ID (_e8208c8a842b990b94c1a5be050eed7e) IdP (https://clienturl/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.28)
2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: removed session (_e8208c8a842b990b94c1a5be050eed7e)
2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: session (ID: _e8208c8a842b990b94c1a5be050eed7e) no longer in storage
2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: removed session (_e8208c8a842b990b94c1a5be050eed7e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200413/31490df7/attachment.html>

More information about the users mailing list