Error: "No flow execution could be found with key '....'"

Mark van Rossum Mark.vanRossum at bristol.ac.uk
Wed Oct 13 14:48:35 UTC 2021 

Hi thanks for the reply.

I've got Chromes dev tools open on a failed attempt, and I can see that on the POST back from AAD to Shib, no cookies are included.  A successful attempt includes a JSESSIONSID cookie at this stage.

How could a SameSite issue cause a cookie to be randomly withheld in about 8% of cases?  All my testing is done with the latest Chrome.  I can redo a login to an SP and it works ten times in a row, then breaks once, then works again etc.

>From reading the Shib SameSite docs [1] the advice is to "do nothing" otherwise you risk breaking Safari.

Do I have to just take the hit on that, and set SameSite=None?

Thanks,
Mark

[1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1284276231/SameSite
SameSite - Identity Provider 4 - Confluence<https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1284276231/SameSite>
SameSite and Frames. Note the caveat above of "tested and supported". The IdP officially does not support the use of frames, and the shipping defaults block frames.
shibboleth.atlassian.net

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: 13 October 2021 14:59
To: Shib Users <users at shibboleth.net>
Subject: Re: Error: "No flow execution could be found with key '....'"

On 10/13/21, 9:41 AM, "users on behalf of Mark van Rossum" <users-bounces at shibboleth.net on behalf of Mark.vanRossum at bristol.ac.uk> wrote:

>    If it was SameSite issues would it be consistently broken?

No, not really, but the bug I recalled [1] never actually turned into anything real. There was a case where you could get it to "crash" ungracefully and it's been patched to produce the proper error but the cause was never anything but standard scenarios where the session simply isn't there, so there has never been any sign that the reasons for the error are ever anything but what they always are. SameSite just happens to be a clear and direct cause.

-- Scott

[1] https://shibboleth.atlassian.net/browse/IDP-1831

--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211013/5f1b76d0/attachment.htm>

More information about the users mailing list