IDP v3.4 Duo Stale Requests
Christopher Bland
chris at fdu.edu
Wed May 27 20:17:27 UTC 2020
Hi All,
I am running clustered IDP servers behind a load-balancer. Session information is shared across IDPs using Memcache. My Shibboleth IDPs are v3.4.4. We recently rolled out Duo and have had an increase in Stale Requests. I have combed through the archives trying to find possible solutions. What I have been able to identify is that the Stale Requests seem to be happening when users do Push authentications. Based on previous posts I have added the JSESSIONID to the logs to verify the session isn’t getting lost. I have had users try across different browsers and platforms. I have confirmed by screensharing with my users that they are not hitting the back button or using a shortcut. In some instances I have been able to have the user open a private browser/incognito window and have had inconsistent success replicating the issue. I am seeing the following in my logs:
2020-05-27 07:38:05,405 - 132.238.11.200 [node01ilzet8g9hq62h752mrpy6u6369434] - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS:247] - Profile
Action ValidateUsernamePasswordAgainstJAAS: Login by 'cbland at fdu.edu' via 'ShibUserPassAuth' succeeded
2020-05-27 07:38:08,332 - 132.238.11.200 [node01ilzet8g9hq62h752mrpy6u6369434] - INFO [net.shibboleth.idp.authn.duo.impl.ValidateDuoWebResponse:200] - Profile Action ValidateDuoWebResponse: Duo authentication succeeded for 'cbland at fdu.edu'
2020-05-27 07:38:08,435 - 132.238.11.200 [node01ilzet8g9hq62h752mrpy6u6369434] - INFO [Shibboleth-Audit.SSO:275] - 20200527T113808Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_3ee4e18947226a1dc52861bf4079c282|https://xxxxxx.fdu.edu/shibboleth-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.fdu.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_05b472163ea0d3f6a8f2493727a21d0a|cbland@fdu.edu|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|displayName,surname,givenName,userPrincipalName|AAdzZWNyZXQ1k+Dh6fEfM90BP/gGDCWqE1hkWHe4CHsMINSFrvN18M3Ms9lO558VrKldF5GONRHir0KI8SALICv8L8QUtVRwDGzqd7smTI6YTpKhqANzUs+KHBWVHYjiLoAzEID8oLQZpJJwNdKS23/CQ6+J20zfKg==|_501fec3c418746ad324642d44bbcecf5|true
2020-05-27 07:38:08,437 - 132.238.11.200 [node01ilzet8g9hq62h752mrpy6u6369434] - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:76] -
org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.
at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended?
at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)
2020-05-27 07:38:08,438 - 132.238.11.200 [node01ilzet8g9hq62h752mrpy6u6369434] - WARN [net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'; model is {exception=org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows., request=Request(POST https://idp.fdu.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s2)@218eaf21, encoder=class net.shibboleth.utilities.java.support.codec.HTMLEncoder, springContext=Root WebApplicationContext: startup date [Sun May 24 13:53:39 EDT 2020]; root of context hierarchy}
All suggestions welcome.
Thank you in advance,
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200527/f4db2494/attachment.htm>
More information about the users
mailing list