SAML Proxy to Azure: odd IdP session timeout behavior

Jeffrey Williams jfwillia at uncg.edu
Wed Jun 23 19:36:24 UTC 2021 

Hi All,

Shortly after the time we transitioned to proxying authn to Azure, we'd get
the sporadic case where a user goes to login and get an IdP error along the
lines of "You may be seeing this message because you used the back
button"(when it wasn't used).

Logs seem to show the following:

2021-06-23 13:55:53,222 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught
runtime exception
java.lang.IllegalArgumentException: Set already contains a member of index
class net.shibboleth.idp.saml.saml2.profile.impl.SAMLAuthnContext
        at
net.shibboleth.utilities.java.support.collection.ClassIndexedSet.add(ClassIndexedSet.java:79)
2021-06-23 13:55:53,229 - WARN
[org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
occurred while processing the request: RuntimeException
2021-06-23 13:55:53,230 - DEBUG
[org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:169] -
Error event RuntimeException will be handled locally
2021-06-23 13:55:53,907 - ERROR
[net.shibboleth.idp.authn.ExternalAuthenticationException:74] -
net.shibboleth.idp.authn.ExternalAuthenticationException: Error retrieving
flow conversation
        at
net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
Caused by:
org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:
No flow execution could be found with key 'e1s1' -- perhaps this executing
flow has ended or expired? This could happen if your users are relying on
browser history (typically via the back button) that references ended flows.
        at
org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
Caused by:
org.springframework.webflow.conversation.NoSuchConversationException: No
conversation could be found with id '1' -- perhaps this conversation has
ended?
        at
org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)

Minus the uncaught exception, it looked to me like an IdP session timeout
that I thought typically would get redirected back to an IdP login.  Anyone
run into this one before?



-- 
Jeffrey Williams
Identity & Access Engineer
Identity & Access Services
https://its.uncg.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210623/43261af7/attachment.htm>

More information about the users mailing list