Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shibboleth server side session storage broken #70

Closed
mzico opened this issue Mar 22, 2020 · 3 comments
Closed

Shibboleth server side session storage broken #70

mzico opened this issue Mar 22, 2020 · 3 comments
Assignees
@yurem @malotian
Labels
bug
Milestone
4.1

Comments

@mzico
Copy link

mzico commented Mar 22, 2020

Server side session storage not storing user identifier for next SSO session.

Situation

  • Multiple SAML apps
  • First SAML SSO working okay
  • If I try to login to another ( next ) SP which is connected with Gluu Server in same browser / tab, Shibboleth throwing error.
  • Here is a screencast which has three servers:
    • test41.gluu.org / Gluu Server 4.1
    • samlapp.gluu.org / 1st SP
    • samlapp2.gluu.org / 2nd SP
    • First SSO working okay, next SSO failing.
    • Screencast: https://youtu.be/nuDnNl0FZro

Workaround

In idp.properties file there is a configuration: idp.session.StorageService = shibboleth.GluuStorageService
If we replace that with idp.session.StorageService = shibboleth.StorageService
It's working properly.

Stack trace

Here is the stack trace of 2nd SSO. It's from 'idp-process.log':

2020-03-22 20:15:05,569 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:100] - Decoded RelayState: ss:mem:543499ab4cf091efcfc44b8a97d4cd9e79bae380819c7ea44f7e1fedfa0b8a64
2020-03-22 20:15:05,569 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:134] - Base64 decoding and inflating SAML message
2020-03-22 20:15:05,570 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:110] - Decoded SAML message
2020-03-22 20:15:05,571 - 209.205.221.187 - DEBUG [PROTOCOL_MESSAGE:127] -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://samlapp.gluu.org/Shibboleth.sso/SAML2/POST"
    Destination="https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO"
    ID="_8c1f78b804065d8a435e340a261d89c6"
    IssueInstant="2020-03-22T20:15:04Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://samlapp.gluu.org/shibboleth</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>

2020-03-22 20:15:05,571 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,573 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context
2020-03-22 20:15:05,573 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:434] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Metadata backing store does not contain any EntityDescriptors with the ID: https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:184] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://samlapp.gluu.org/shibboleth]
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:586] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Candidates iteration was empty, nothing to filter via predicates
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:184] - Metadata Resolver FilesystemMetadataResolver SiteSP2: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://samlapp.gluu.org/shibboleth]
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:590] - Metadata Resolver FilesystemMetadataResolver SiteSP2: Attempting to filter candidate EntityDescriptors via resolved Predicates
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:612] - Metadata Resolver FilesystemMetadataResolver SiteSP2: After predicate filtering 1 EntityDescriptors remain
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:266] - Resolved 1 source EntityDescriptors
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:277] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:378] - Attempting to filter candidate RoleDescriptors via resolved Predicates
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:145] - Message Handler:  org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:158] - Message Handler:  Selecting default AttributeConsumingService, if any
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:167] - Message Handler:  No AttributeConsumingService selected
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:314] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request
2020-03-22 20:15:05,579 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/security-policy/saml2-sso into interceptor context
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/security-policy/saml2-sso for applicability...
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/security-policy/saml2-sso
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:157] - Message Handler:  Checking SAML message intended destination endpoint against receiver endpoint
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:190] - Message Handler:  Intended message destination endpoint: https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:191] - Message Handler:  Actual message receiver endpoint: https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:204] - Message Handler:  SAML message intended destination endpoint matched recipient endpoint
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' on INBOUND message context
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:152] - Message Handler:  Evaluating message replay for message ID '_8c1f78b804065d8a435e340a261d89c6', issue instant '2020-03-22T20:15:04.000Z', entityID 'https://samlapp.gluu.org/shibboleth'
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:83] - SPSSODescriptor for entity ID 'https://samlapp.gluu.org/shibboleth' does not require AuthnRequests to be signed
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:103] - Message Handler:  SAML protocol message was not signed, skipping XML signature processing
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler:  Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:158] - Message Handler:  HTTP request was not signed via simple signature mechanism, skipping
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler:  Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:152] - Message Handler:  Handler can not handle this request, skipping
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.CheckMandatoryIssuer' on INBOUND message context
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.WriteProfileInterceptorResultToStorage:68] - Profile Action WriteProfileInterceptorResultToStorage: No results available from interceptor context, nothing to store
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2020-03-22 20:15:05,595 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:375] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2020-03-22 20:15:05,595 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:516] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2020-03-22 20:15:05,596 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:220] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Returning 4 candidate endpoints of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService
2020-03-22 20:15:05,596 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:418] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location https://samlapp.gluu.org/Shibboleth.sso/SAML2/POST using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:387] - No AttributeConsumingService was resolved, won't be able to determine delegation requested status via metadata
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:520] - No AttributeConsumingService was available
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:505] - Delegation request was not explicitly indicated, using default value: NOT_REQUESTED
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:294] - Issuance of a delegated Assertion is not in effect, skipping further processing
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:211] - Profile Action PopulateSignatureSigningParameters: Signing enabled
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:194] - Message Handler:  Signing enabled
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:207] - Message Handler:  Resolving SignatureSigningParameters for request
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:237] - Message Handler:  Adding metadata to resolution criteria for signing/digest algorithms
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver:108] - Resolved signature algorithm URI from SAML metadata SigningMethod: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver:189] - Resolved reference digest method algorithm URI from SAML metadata DigestMethod: http://www.w3.org/2001/04/xmlenc#sha512
2020-03-22 20:15:05,600 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:248] - Message Handler:  Resolved SignatureSigningParameters
2020-03-22 20:15:05,601 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:214] - Profile Action PopulateSignatureSigningParameters: Signing not enabled
2020-03-22 20:15:05,601 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:296] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2020-03-22 20:15:05,602 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:306] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2020-03-22 20:15:05,602 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:371] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2020-03-22 20:15:05,603 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:382] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2020-03-22 20:15:05,603 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:260] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION.  Effective entityID was: https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:352] - Resolved cached credentials from KeyDescriptor object metadata
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:388] - Resolved data encryption algorithm URI from SAML metadata EncryptionMethod: http://www.w3.org/2009/xmlenc11#aes128-gcm
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:342] - Resolved key transport algorithm URI from SAML metadata EncryptionMethod: http://www.w3.org/2009/xmlenc11#rsa-oaep
2020-03-22 20:15:05,605 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:322] - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters
2020-03-22 20:15:05,607 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2020-03-22 20:15:05,607 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:154] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do
2020-03-22 20:15:05,608 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.impl.ExtractProxiedRequestersHandler' on INBOUND message context
2020-03-22 20:15:05,609 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,609 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:138] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2020-03-22T20:15:05.609Z, isPassive=false, forceAuthn=false, hintedName=null, maxAge=0, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, initialAuthenticationResult=null, authenticationResult=null, completionInstant=1970-01-01T00:00:00.000Z}
2020-03-22 20:15:05,610 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:174] - Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain a RequestedAuthnContext, nothing to do
2020-03-22 20:15:05,611 - 209.205.221.187 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:221] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext
2020-03-22 20:15:05,612 - 209.205.221.187 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:798] - Performing primary lookup on session ID 35c3acafd6337bb079f9e68b99f6df136d6ac64b48f0f622a4dda55905e71589
2020-03-22 20:15:05,616 - 209.205.221.187 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:90] - Updating expiration of master record for session 35c3acafd6337bb079f9e68b99f6df136d6ac64b48f0f622a4dda55905e71589 to 2020-03-23T21:15:05.616Z
2020-03-22 20:15:05,618 - 209.205.221.187 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty
        at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
2020-03-22 20:15:05,619 - 209.205.221.187 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
2020-03-22 20:15:05,619 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:170] - Error event RuntimeException will be handled locally
@mzico mzico added the bug label Mar 22, 2020
@mzico mzico added this to the 4.1 milestone Mar 22, 2020
@malotian
Copy link
Contributor

malotian commented Apr 3, 2020

I tried reproducing it, but for me its working fine by default

image

https://sp1.gluu.org:8443
https://sp2.gluu.org:9443

And It worked all fine, for 2nd it got authenticated without asking credentials and landed on application

@malotian
Copy link
Contributor

malotian commented Apr 3, 2020

Solution: 1. Download https://ox.gluu.org/maven/org/gluu/oxshibbolethIdp/4.1.1.Final/oxshibbolethIdp-4.1.1.Final.war
2. rename oxshibbolethIdp-4.1.1.Final.war to idp.war
3. copy idp.war to /opt/gluu-server/opt/gluu/jetty/idp/webapps
4. restart idp by service idp restart

@malotian malotian closed this as completed Apr 3, 2020
@malotian malotian mentioned this issue Apr 3, 2020
Closed
@malotian
Copy link
Contributor

malotian commented Apr 3, 2020

Duplicate #68

@cybersei cybersei mentioned this issue Dec 13, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yurem yurem

@malotian malotian

Labels
bug
Projects
None yet
Milestone
4.1
Development

No branches or pull requests
3 participants
@yurem @mzico @malotian