Error: "No flow execution could be found with key '....'"

[Cantor, Scott]

On 10/13/21, 10:49 AM, "users on behalf of Mark van Rossum" <users-bounces at shibboleth.net on behalf of Mark.vanRossum at bristol.ac.uk> wrote:

>    I've got Chromes dev tools open on a failed attempt, and I can see that on the POST back from AAD to Shib,
> no cookies are included.  A successful attempt includes a JSESSIONSID cookie at this stage.

Right. Thus the error.

> How could a SameSite issue cause a cookie to be randomly withheld in about 8% of cases?  All my testing is
> done with the latest Chrome.  I can redo a login to an SP and it works ten times in a row, then breaks once,
> then works again etc.

Well, the 2 minute timer likely works in very odd ways that may not be as obvious as even Google thinks, which is why it's such a dumb idea. So my guess is it's that.

> From reading the Shib SameSite docs [1] the advice is to "do nothing" otherwise you risk breaking Safari.  

Well, it is what it is. We can't make Apple fix things, so you write that stuff off or cook up elaborate user agent tests. As time goes by it gets less and less an issue,and for many places it's probably not an issue at all now.

>    Do I have to just take the hit on that, and set SameSite=None?

If you want to fix this, you have to for some set of clients. We updated the docs (I thought) to indicate that proxying does break on this.

-- Scott