Error: "No flow execution could be found with key '....'"

Duncan Sinclair d.sinclair at
Thu Oct 14 10:06:03 UTC 2021

Hi Mark,

I went through the same pain as you a few months ago – the issue came down to SameSite, where the randomness was because Chrome allows the cookies for some amount of time, then stops them.

Based on reading bug reports, I fixed the issue by adding this to the bottom of  global.xml:

    <bean id="abertay.SameSiteExpression" class="java.util.regex.Pattern" factory-method="compile"
        c:_0="(Firefox)|(Chrom(e|ium)/[1234789])" />

    <bean id="abertay.SameSiteCondition" class="net.shibboleth.ext.spring.util.SpringExpressionPredicate"
        c:expression="#custom.matcher(#input.getHeader('User-Agent') ?: '').find() and !(#input.getHeader('User-Agent') ?: '').contains('UCBrowser')"
        p:customObject-ref="abertay.SameSiteExpression" />

And setting this property in

      idp.cookie.sameSiteCondition = abertay.SameSiteCondition

You may wish to change the "abertay"s to "Bristol". 😊


Duncan Sinclair.

Duncan Sinclair
Infrastructure Specialist – Systems
Abertay University, Dundee

From: users <users-bounces at> On Behalf Of Mark van Rossum
Sent: Wednesday, 13 October 2021 3:49 pm
To: Shib Users <users at>
Subject: Re: Error: "No flow execution could be found with key '....'"

[EXTERNAL MAIL] This message was sent from outside the University. Do not reply, click links, or open attachments unless you recognise the source of this email and know the content is safe. Email itservicedesk at<mailto:itservicedesk at> if you require help.
Hi thanks for the reply.

I've got Chromes dev tools open on a failed attempt, and I can see that on the POST back from AAD to Shib, no cookies are included.  A successful attempt includes a JSESSIONSID cookie at this stage.

How could a SameSite issue cause a cookie to be randomly withheld in about 8% of cases?  All my testing is done with the latest Chrome.  I can redo a login to an SP and it works ten times in a row, then breaks once, then works again etc.

From reading the Shib SameSite docs [1] the advice is to "do nothing" otherwise you risk breaking Safari.

Do I have to just take the hit on that, and set SameSite=None?


SameSite - Identity Provider 4 - Confluence<>
SameSite and Frames. Note the caveat above of "tested and supported". The IdP officially does not support the use of frames, and the shipping defaults block frames.

From: users <users-bounces at<mailto:users-bounces at>> on behalf of Cantor, Scott <cantor.2 at<mailto:cantor.2 at>>
Sent: 13 October 2021 14:59
To: Shib Users <users at<mailto:users at>>
Subject: Re: Error: "No flow execution could be found with key '....'"

On 10/13/21, 9:41 AM, "users on behalf of Mark van Rossum" <users-bounces at on behalf of Mark.vanRossum at<mailto:users-bounces at at>> wrote:

>    If it was SameSite issues would it be consistently broken?

No, not really, but the bug I recalled [1] never actually turned into anything real. There was a case where you could get it to "crash" ungracefully and it's been patched to produce the proper error but the cause was never anything but standard scenarios where the session simply isn't there, so there has never been any sign that the reasons for the error are ever anything but what they always are. SameSite just happens to be a clear and direct cause.

-- Scott


For Consortium Member technical support, see<>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

[Abertay Named UK University of the Year for Teaching Quality]<>

Abertay University is a charity registered in Scotland, No. SC016040

Follow us:<> | @AbertayUni<> | AbertayLinkedIn<> | AbertayFacebook<>

Any views or opinions expressed in this email and any attachments are solely those of the author and do not necessarily represent those of Abertay University. This email and any attachments may be confidential and are intended solely for the use of the intended recipient. If you are not the intended recipient, you must take no action based on the email or its attachments, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list