Early EOF when using SAML flow
Michael Forbes
mforbes at stevens.edu
Wed Nov 24 17:20:18 UTC 2021
Hello all,
On IdP 4.1, I recently changed from "idp.authn.flows = MFA" to "idp.authn.flows = SAML" for the following reason: we previously used Shibboleth as our only IdP, but now we use it only as a proxy between our new primary IdP (Okta) and any SPs in the InCommon Federation which cannot work with Okta directly. I used https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1282539600/SAMLAuthnConfiguration and https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1459979597/Using+SAML+Proxying+to+another+IdP which eventually got me up and running.
However, there's an issue I've been struggling to track down. After a successful SP-initiated login to one of these federated SPs (or even an SP we directly control, if we configure it with Shib metadata instead of Okta metadata), eventually when the session is too old (say, some hours later) another SP-initiated login from an SP using the proxy will result in an error. The user experience is:
1. User chooses to log into our Shib IdP from some SP.
2. The SP redirects to Shib.
3. The Shib session is too old so it redirects to Okta.
4. Okta might prompt for re-auth (or might not, if that already happened recently due to recently having used an SP which doesn't use Shib as a proxy) and then it redirects to Shib.
5. Shib responds with nothing ("ERR_EMPTY_RESPONSE" in Chrome, "Secure Connection Failed" in Firefox, etc.) and idp-warn.log shows "org.eclipse.jetty.io.RuntimeIOException: org.eclipse.jetty.io.EofException: Early EOF".
Troubleshooting steps already taken:
- Restarting the IdP service does not help.
- Deleting cookies (just the domain of the Shib IdP) from the browser solves the problem temporarily, but then when that brand new IdP session gets too old, the error comes back same as before.
- Reverting to "idp.authn.flows = MFA" clears up the problem immediately and permanently. Any browsers that so much as see the start of this MFA flow (they don't even need to actually submit to it) will no longer have the bad cookies, so flipping it back to "idp.authn.flows = SAML" will provide trouble-free operation as well (but only temporarily).
After turning up the verbosity for idp-warn.log, this is the full error/trace:
2021-11-24 11:23:18,718 - ERROR [org.eclipse.jetty.io.RuntimeIOException:91] -
org.eclipse.jetty.io.RuntimeIOException: org.eclipse.jetty.io.EofException: Early EOF
at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:587)
at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:531)
at org.eclipse.jetty.server.Request.getParameters(Request.java:435)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1075)
at net.shibboleth.idp.saml.saml2.profile.impl.SAMLAuthnController.finishSAML(SAMLAuthnController.java:232)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:894)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1063)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1452)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:76)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpChannelOverHttp.earlyEOF(HttpChannelOverHttp.java:237)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1614)
at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.eclipse.jetty.io.EofException: Early EOF
at org.eclipse.jetty.server.HttpInput$3.getError(HttpInput.java:1187)
at org.eclipse.jetty.server.HttpInput$3.noContent(HttpInput.java:1175)
at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:333)
at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:270)
at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:485)
at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:577)
at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:582)
... 74 common frames omitted
With so many java files and line numbers mentioned, any ideas about where to look next would be greatly appreciated. Happy Thanksgiving!
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211124/39730fbd/attachment.htm>
More information about the users
mailing list