Stale Request after IP change

Janusz Ulanowski janusz.ulanowski at heanet.ie
Tue Nov 9 13:19:19 UTC 2021


Hi,


I hope you can advice on issue I have with Shib IDP v4.0.1
We have configured IsP to delegate authn to Azure via SAML  (mostly 
default setting as per doc)
Everything works except when browser's IP changes.

When client browser's IP changes:
- idp triggers re-authentication flow
- redirects to upstream IdP
- after receiving assertion upstream IdP : it breaks at this stage 
(resulting err "Stale Request")
  That happens when I'm trying gain access to SP which already had 
session on previous IP (browser IP).
  If I try different SP then re-authn flow on IdP site is fine.
   In the log: I can see:


2021-11-09 12:54:32,436 - X.X.X.X - ERROR 
[net.shibboleth.idp.authn.ExternalAuthenticationException:74] -
net.shibboleth.idp.authn.ExternalAuthenticationException: Error 
retrieving flow conversation
         at 
net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
Caused by: 
org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: 
No flow execution could be found with key 'e2s1' -- perhaps this 
executing flow has ended or expired? This could happen if your users are 
relying on browser history (typically via the back button) that 
references ended flows.
         at 
org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
Caused by: 
org.springframework.webflow.conversation.NoSuchConversationException: No 
conversation could be found with id '2' -- perhaps this conversation has 
ended?
         at 
org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)






Is it a bug or there some configuration change required?

Thanks in advance,


-- 
Janusz


More information about the users mailing list