Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outbound SAML SSO is broken in 4.1 #68

Closed
aliaksander-samuseu opened this issue Mar 13, 2020 · 6 comments
Closed

Outbound SAML SSO is broken in 4.1 #68

aliaksander-samuseu opened this issue Mar 13, 2020 · 6 comments
Assignees
@shmorri
Labels
bug High Priority
Milestone
4.1.1

Comments

@aliaksander-samuseu
Copy link

aliaksander-samuseu commented Mar 13, 2020
edited
Loading

Environment:

gluu-server-4.1.0-centos7 (confirmed both for WrenDS and Couchbase).

Description:

SSO doesn’t work in 4.1- first time SAML flow works fine (when there is no session at IDP yet); 2nd attempt will fail (after session is created) with 500 internal server error page displayed, regardless if it’s the same SP, or another one. If cookies are flushed and the flow is retried it works again, for first time, and fail for subsequent requests after session is created at IDP.

Steps to reproduce:

  1. Create a SAML TR for any SP (samltest.id will do)

  2. Start a SAML flow from the SP and authenticate at oxAuth when asked to

  3. After getting to SP with SAML response, start another SAML flow from the same SP

Result:

500 internal server error page is displayed at step 3) An error like below appears in idp-process.log:

2020-03-12 17:38:36,797 - 192.168.238.102 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty
    at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
2020-03-12 17:38:36,798 - 192.168.238.102 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException

Network trace shows that flow stops at IDP itself (the error page is returned in response to initial SAML request).
@aliaksander-samuseu aliaksander-samuseu mentioned this issue Mar 13, 2020
Closed
@aliaksander-samuseu
Copy link
Author

Complete debug log of the second (failing) SAML flow:
idp-broken-sso-debug-log.txt

@yurem
Copy link
Contributor

yurem commented Mar 15, 2020

https://github.com/GluuFederation/shib-oxauth-authn3/commit/32e57871e5c7b78860cbcb7d358d48665cab4d26

Fixed value expiration. The value can be null during expiration update.

@yurem yurem closed this as completed Mar 15, 2020
@yurem
Copy link
Contributor

yurem commented Mar 15, 2020

Fixed in 4.2 and 4.1.1

@yurem yurem added this to the 4.1.1 milestone Mar 16, 2020
@yurem
Copy link
Contributor

yurem commented Mar 16, 2020

https://ox.gluu.org/maven/org/gluu/oxshibbolethIdp/4.1.1.Final/oxshibbolethIdp-4.1.1.Final.war

@philzyk
Copy link

philzyk commented Mar 24, 2020

In case somebody will be stuck on this update
oxshibbolethIdp-4.1.1.Final.war should be renamed to idp.war in /opt/gluu-server/opt/gluu/jetty/idp/webapps and then restart idp by service idp restart

@malotian
Copy link
Contributor

malotian commented Apr 3, 2020
edited
Loading

Duplicate #70

@malotian malotian mentioned this issue Apr 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shmorri shmorri

Labels
bug High Priority
Projects
None yet
Milestone
4.1.1
Development

No branches or pull requests
5 participants
@yurem @malotian @aliaksander-samuseu @philzyk @shmorri