Error: "No flow execution could be found with key '....'"

Duncan Sinclair d.sinclair at abertay.ac.uk
Thu Oct 14 10:06:03 UTC 2021


Hi Mark,

I went through the same pain as you a few months ago – the issue came down to SameSite, where the randomness was because Chrome allows the cookies for some amount of time, then stops them.

Based on reading bug reports, I fixed the issue by adding this to the bottom of  global.xml:

    <bean id="abertay.SameSiteExpression" class="java.util.regex.Pattern" factory-method="compile"
        c:_0="(Firefox)|(Chrom(e|ium)/[1234789])" />

    <bean id="abertay.SameSiteCondition" class="net.shibboleth.ext.spring.util.SpringExpressionPredicate"
        c:expression="#custom.matcher(#input.getHeader('User-Agent') ?: '').find() and !(#input.getHeader('User-Agent') ?: '').contains('UCBrowser')"
        p:customObject-ref="abertay.SameSiteExpression" />

And setting this property in idp.properties:

      idp.cookie.sameSiteCondition = abertay.SameSiteCondition

You may wish to change the "abertay"s to "Bristol". 😊

Cheers,


Duncan Sinclair.

--
Duncan Sinclair
Infrastructure Specialist – Systems
Abertay University, Dundee

From: users <users-bounces at shibboleth.net> On Behalf Of Mark van Rossum
Sent: Wednesday, 13 October 2021 3:49 pm
To: Shib Users <users at shibboleth.net>
Subject: Re: Error: "No flow execution could be found with key '....'"


[EXTERNAL MAIL] This message was sent from outside the University. Do not reply, click links, or open attachments unless you recognise the source of this email and know the content is safe. Email itservicedesk at abertay.ac.uk<mailto:itservicedesk at abertay.ac.uk> if you require help.
Hi thanks for the reply.

I've got Chromes dev tools open on a failed attempt, and I can see that on the POST back from AAD to Shib, no cookies are included.  A successful attempt includes a JSESSIONSID cookie at this stage.

How could a SameSite issue cause a cookie to be randomly withheld in about 8% of cases?  All my testing is done with the latest Chrome.  I can redo a login to an SP and it works ten times in a row, then breaks once, then works again etc.

From reading the Shib SameSite docs [1] the advice is to "do nothing" otherwise you risk breaking Safari.

Do I have to just take the hit on that, and set SameSite=None?

Thanks,
Mark

[1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1284276231/SameSite<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1284276231%2FSameSite&data=04%7C01%7C%7Cec61ceae26db4529231a08d98e5893ad%7Caacb1abaf38f410e9153c16a00ebf4cc%7C0%7C0%7C637697333354630329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H1kEABX50eqadvNrjdmCLBbv%2FHvq3MdGmHCMNIl1WKc%3D&reserved=0>
SameSite - Identity Provider 4 - Confluence<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1284276231%2FSameSite&data=04%7C01%7C%7Cec61ceae26db4529231a08d98e5893ad%7Caacb1abaf38f410e9153c16a00ebf4cc%7C0%7C0%7C637697333354640299%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FCLMwULQbYwx1iM7XHC%2Badk31dTTg0vMAXe9Mtmgnqw%3D&reserved=0>
SameSite and Frames. Note the caveat above of "tested and supported". The IdP officially does not support the use of frames, and the shipping defaults block frames.
shibboleth.atlassian.net

________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>>
Sent: 13 October 2021 14:59
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Error: "No flow execution could be found with key '....'"

On 10/13/21, 9:41 AM, "users on behalf of Mark van Rossum" <users-bounces at shibboleth.net on behalf of Mark.vanRossum at bristol.ac.uk<mailto:users-bounces at shibboleth.net%20on%20behalf%20of%20Mark.vanRossum at bristol.ac.uk>> wrote:

>    If it was SameSite issues would it be consistently broken?

No, not really, but the bug I recalled [1] never actually turned into anything real. There was a case where you could get it to "crash" ungracefully and it's been patched to produce the proper error but the cause was never anything but standard scenarios where the session simply isn't there, so there has never been any sign that the reasons for the error are ever anything but what they always are. SameSite just happens to be a clear and direct cause.

-- Scott

[1] https://shibboleth.atlassian.net/browse/IDP-1831<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fbrowse%2FIDP-1831&data=04%7C01%7C%7Cec61ceae26db4529231a08d98e5893ad%7Caacb1abaf38f410e9153c16a00ebf4cc%7C0%7C0%7C637697333354650241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pvzw7uSPJqJe2wF5ssqBTH7GoS8kahkXnERDImkDj7Q%3D&reserved=0>

--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7C%7Cec61ceae26db4529231a08d98e5893ad%7Caacb1abaf38f410e9153c16a00ebf4cc%7C0%7C0%7C637697333354660198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BJFKbEy76FQa2Ah2VDuZZLb69D9Qj5oF3LVCQhUGH%2B0%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

[Abertay Named UK University of the Year for Teaching Quality]<https://abertay.co/ZTQw>

Abertay University is a charity registered in Scotland, No. SC016040

Follow us: www.abertay.ac.uk<http://www.abertay.ac.uk> | @AbertayUni<https://twitter.com/AbertayUni> | AbertayLinkedIn<https://www.linkedin.com/edu/school?id=12685> | AbertayFacebook<https://www.facebook.com/AbertayUni>

Any views or opinions expressed in this email and any attachments are solely those of the author and do not necessarily represent those of Abertay University. This email and any attachments may be confidential and are intended solely for the use of the intended recipient. If you are not the intended recipient, you must take no action based on the email or its attachments, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211014/64eb3cfc/attachment.htm>


More information about the users mailing list