Clustering question around external auth

Jay Fowler fowler at csufresno.edu
Wed Aug 31 23:01:37 UTC 2022 

AWS ALB with 2 targets
Targets include
OS      = RHEL 8.6
jetty   = 9.4.48
idp     = 4.2.1
+ memcached, unicons shibCas module

Authentication is external using Unicon's CAS module.

Scenario: a node goes offline while the client is performing the external
auth. When the session returns, the load balancer has moved the client to
another node, but the following error is seen:

"Sorry, it looks like there is a problem finding your session ... "

Logs show:

2022-08-31 14:42:54,058 - 10.20.209.126 - WARN
[net.unicon.idp.externalauth.ShibcasAuthServlet:88] - Error processing
ShibCas authentication request
net.shibboleth.idp.authn.ExternalAuthenticationException: Error retrieving
flow conversation
at
net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
Caused by:
org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:
No flow execution could be found with key 'e1s2' -- perhaps this executing
flow has ended or expired? This could happen if your users are relying on
browser history (typically via the back button) that references ended flows.
at
org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
Caused by:
org.springframework.webflow.conversation.NoSuchConversationException: No
conversation could be found with id '1' -- perhaps this conversation has
ended?
at
org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)

Is it possible to replicate the flow conversation across a cluster when
external authentication is used? Something like,
idp.authn.ExternalAuthentication.StorageService =
shibboleth.MemcachedStorageService

Should I be looking at something else? or is this something that falls into
the,"there is no solution provided to replicate the per-request
conversational state"?

https://shibboleth.atlassian.net/wiki/spaces/IDP30/pages/2495742390/Clustering#Clustering-ConversationalState

https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631607/ExternalAuthnConfiguration

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220831/65725c0b/attachment.htm>

More information about the users mailing list