Shibboleth SP session storage issue

Cathy Scott cathystill at gmail.com
Mon Apr 13 10:32:43 EDT 2020 

Thanks Spencer!  And I did hear back that users are able to log in and
maintain a session. I greatly appreciate your assistance.

On Mon, Apr 13, 2020 at 7:23 AM Spencer Thomas <Spencer.Thomas at ithaka.org>
wrote:

> If you are using SSL all the way through to your SP, you should set those
> differently, as indicated in the messages.
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Cathy Scott <
> cathystill at gmail.com>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Monday, April 13, 2020 at 10:21 AM
> *To: *Shib Users <users at shibboleth.net>
> *Subject: *Re: Shibboleth SP session storage issue
>
>
>
> Thanks so much for the quick response, Spencer. I'll see if that resolves
> the matter.
>
>
>
> Follow-up question.  After making the change, I get these WARNs. Are these
> be concerning?
>
> 2020-04-13 09:09:37 WARN Shibboleth.Application : custom cookieProps
> setting should include "; secure" for SSL/TLS-only usage
> 2020-04-13 09:09:37 WARN Shibboleth.Application : handlerSSL should be
> enabled for SSL/TLS-enabled web sites
>
>
>
> Thanks again,
>
> Cathy
>
>
>
> On Mon, Apr 13, 2020 at 7:02 AM Spencer Thomas <Spencer.Thomas at ithaka.org>
> wrote:
>
> Cathy, This may or may not be your issue.  When we upgraded from SP2 to
> SP3, we had to make changes to several config files. We had several
> symptoms, but one of them looked very much like what you are reporting.
>
>
>
> In shibboleth2.xml,
>
>     <Sessions checkAddress="false" handlerSSL="false" lifetime="28800"
> relayState="ss:mem" timeout="3600">
>
> changed to
>
>     <Sessions checkAddress="false" lifetime="28800" relayState="ss:mem"
> timeout="3600" redirectLimit="host" cookieProps="; path=/; HttpOnly"
> handlerSSL="false" consistentAddress="false">
>
>
>
> Some of these are unique to our setup, such as handlerSSL=”false” because
> we are inside a VPN where SSL is handled at the boundary.
>
> consistentAddress=”false” because we are fronted by an AWS ELB and
> requests can come from multiple apparent IP addresses – this was critical
> to getting it to work consistently.
>
>
>
> Also important, because we are using AJP to connect to our back-end Java
> app from Apache was this change to the Tomcat server.xml.
>
>
>
> -    <Connector port="8009" protocol="AJP/1.3"  redirectPort="8443"
> tomcatAuthentication="false"/>
>
> +    <Connector port="8009" protocol="AJP/1.3"  redirectPort="8443"
> tomcatAuthentication="false" secretRequired="false"
> allowedRequestAttributesPattern=".*"/>
>
>
>
>
>
> *--*
>
>
> *Spencer Thomas *Technical Architect */* JSTOR and Artstor
> ITHAKA <https://www.ithaka.org/> */* 301 E. Liberty St, Suite 250, Ann
> Arbor, MI 48104
> Email: Spencer.Thomas at ithaka.org
>
> Voicemail: 734-887-7004
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Cathy Scott
> cathystill at gmail.com
>
>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Monday, April 13, 2020 at 9:40 AM
> *To: *Shib Users <users at shibboleth.net>
> *Subject: *Shibboleth SP session storage issue
>
>
>
> Hello all,
>
>
>
> Hoping to get assistance with a session state issue.  Users are
> successfully authenticating but the session is almost immediately removed.
> Shib SP v3.0.4.1, upgraded from v2. Here are selected log examples. Any
> assistance would be greatly appreciated, thanks.
>
>
>
> native_warn.log
> 2020-04-13 07:31:36 ERROR Shibboleth.Apache [2372] shib_check_user: Unable
> to obtain session to export to request.
> 2020-04-13 07:33:14 ERROR Shibboleth.Listener [2372] shib_check_user
> [default]: remoted message returned an error: Your session is not available
> in the session store, and you must re-authenticate.
> 2020-04-13 07:42:59 ERROR Shibboleth.Apache [2372] shib_handler: Failure
> sending remoted message (default/SAML2/POST).
> 2020-04-13 07:43:31 ERROR Shibboleth.Apache [2372] shib_check_user:
> Failure sending remoted message (set::RelayState).
>
> shibd.log
> 2020-04-13 07:29:52 INFO Shibboleth.SessionCache [2] [default]: new
> session created: ID (_d7acbb8046b19034e92a0f7aade41ecd) IdP (
> https://clienturl/idp/shibboleth)
> Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.6)
> 2020-04-13 07:29:53 INFO Shibboleth.SessionCache [2] [default]: removed
> session (_d7acbb8046b19034e92a0f7aade41ecd)
> 2020-04-13 07:31:24 INFO Shibboleth.SessionCache [4] [default]: new
> session created: ID (_f140df61cc28d15ba00aac901ad6e131) IdP (
> https://clienturl/idp/shibboleth)
> Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.6)
> 2020-04-13 07:31:27 INFO Shibboleth.SessionCache [4] [default]: removed
> session (_f140df61cc28d15ba00aac901ad6e131)
> 2020-04-13 08:13:43 INFO Shibboleth.SessionCache [1] [default]: new
> session created: ID (_e8208c8a842b990b94c1a5be050eed7e) IdP (
> https://clienturl/idp/shibboleth)
> Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (xxx.xxx.71.28)
> 2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: removed
> session (_e8208c8a842b990b94c1a5be050eed7e)
> 2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: session
> (ID: _e8208c8a842b990b94c1a5be050eed7e) no longer in storage
> 2020-04-13 08:13:44 INFO Shibboleth.SessionCache [4] [default]: removed
> session (_e8208c8a842b990b94c1a5be050eed7e
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200413/dc715f1c/attachment.html>

More information about the users mailing list