SPs work and then they don't - Web Login Service - Stale Request

Nate Klingenstein ndk at signet.id
Fri Jul 9 21:05:13 UTC 2021 

Thanks for sending along the resolution.  I glossed over the 2 hosts part and assumed stickiness, and that would have been a far more likely cause than the plug-in having severe issues.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: Jason B. Rappaport
Sent: Friday, July 9 2021, 8:44 pm
To: Shib Users
Subject: RE: SPs work and then they don't - Web Login Service - Stale Request

For the record, we discovered the issue.  For these IDPs, we put them behind an AWS application load balancer; previously we used a network load balancer.

When both hosts were up, I would get the stale request error message.  
If I brought down either host and the ALB removed it, the service would work.

We enabled stickiness, set it to 5 minutes, turned on both IDPs and it works!

That being said, we will probably switch back to a NLB as on a ALB one must manage a certificate within AWS and on the backend hosts for SSL...and that is a bit of a pain as it crosses multiple business units and has the potential to create a negative situation when a service owner updates the backend cert but forgets that someone else manages AWS and has to update the cert that AWS has associated with the ALB.

In any case, enabling stickiness on the ALB fixed it.

Thanks, Jay

________________________________
Jason Rappaport (he/him)
Identity and Access Management Analyst
Office of Information Technology
Email:  jasonrap at princeton.edu <mailto:jasonrap at princeton.edu> 
Office:  609-258-8464

-----Original Message-----
From: users <users-bounces at shibboleth.net <mailto:users-bounces at shibboleth.net>> On Behalf Of Nate Klingenstein
Sent: Friday, July 9, 2021 1:46 PM
To: Shib Users <users at shibboleth.net <mailto:users at shibboleth.net>>
Subject: RE: SPs work and then they don't - Web Login Service - Stale Request

Jay,

That implies to me that the authentication plug-in is broken.  It should absolutely be able to do that, and the fact that time-bounding it triggers it indicates that the plug-in is doing something horribly wrong.  It's best to bring it up with the maintainers of the code; it's not really a Shibboleth problem.  It's a plug-in problem.

Thanks for taking the time to clarify,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id <https://www.signet.id>

More information about the users mailing list