Logon is looping after apparent successful authentication.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Logon is looping after apparent successful authentication.

O'Quinn, Dennis

Hi, attempting to integrate Shibboleth/SAML with SAS (Statistical Analysis Software).  The SAS Servers and web server/SP are located inside Google Cloud (GCP) and the IdP is located outside of GCP LB.

 

Shibboleth version is 2.6.1 and it is running on Linux and apache 2.4.

 

We seem to have been able to get the initial logon to authenticate, but, once the post back to …/SAML2/POST occurs, it begins an infinite loop bouncing between a GET and POST to …SAML2/POST.

 

I am looking at the trace data in my browser,  and the SAS logs, but, I can’t see where the problem is.

 

Can someone give me a pointer on where to look or what to look for to determine the cause of this behavior?

 

Thanks in advance, Dennis




The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Logon is looping after apparent successful authentication.

Greg Haverkamp

On Fri, Jun 1, 2018 at 12:18 PM, O'Quinn, Dennis <[hidden email]> wrote:

Can someone give me a pointer on where to look or what to look for to determine the cause of this behavior?




Greg 

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

O'Quinn, Dennis

Thank you Greg, I have been looking at that and the Flow document all day and I understand (from all I have and from numerous declarations made by Scott C) that it must be a cookie issue.

 

However, I cannot figure out *how* to troubleshoot or trace where the cookie issue is and what the SP doesn’t like or can’t open.

 

I can ‘view’ the cookies in Chrome, and am using the dev tools in chrome plus a SAML tracer, but, that doesn’t tell me what is ‘bad’ about the cookies.  I see that on the POST, my app URL, and the SSO.saml2?SAMLRequest named entries in the Network Trace data all have the same cookie.

 

it is looping rapidly and just looking at the cookies does not tell me what is ‘wrong’…

 

Is there any guidance available on how to capture the failure when my app url cannot open or read the cookie?  What should I be looking for to see if this is a problem with

 

Thanks, Dennis

 

 

From: users <[hidden email]> On Behalf Of Greg Haverkamp
Sent: Friday, June 1, 2018 3:26 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

 

 

On Fri, Jun 1, 2018 at 12:18 PM, O'Quinn, Dennis <[hidden email]> wrote:

Can someone give me a pointer on where to look or what to look for to determine the cause of this behavior?

 

 

 

Greg 




The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Cantor, Scott E.
> I can ‘view’ the cookies in Chrome, and am using the dev tools in chrome plus a
> SAML tracer, but, that doesn’t tell me what is ‘bad’ about the cookies.  I see
> that on the POST, my app URL, and the SSO.saml2?SAMLRequest named entries
> in the Network Trace data all have the same cookie.

That’s impossible so you're not looking at the right cookies. Two different servers don't share cookies in these exchanges.

POST -> Set-Cookie header from the SP with shibsession in the name.
Redirect -> Get -> send Cookie header back to the SP

There is no way that's happening. Or you have logs somewhere indicating it invalidated the session because even if it did happen the IP address flipped or something else is wrong.

Perhaps you have clustered this across servers with no regard for the fact that that simply doesn't work, the cache is in memory.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

O'Quinn, Dennis
Hi Scott, thank you for your continued (and fast) responses.

Sorry, I did not get what you were...  no clustering...  I am only saying that as I look in the chrome dev tools network trace data, I am seeing 'cookies' represented on the 3 network trace 'entry names' I mentioned... That is all that is in the network trace due to the looping.

The setup is:
-> A corporate network where the PingIdentity IdP is hosted.
-> There is a Google Cloud Load Balancer with a front end facing this corporate network listening on port 443.
-> The DNS name for this LB front end is sascloud.homedepot.com (note: the LB reference is not significant, it is only serving as the gateway into the cloud and has only 1 node in its 'pool' (i.e., the SAS Web Server)).
-> The LB back end (i.e., inside GCP) points to the SAS Web Server (Linux/Apache 2.4/Shibboleth 2.6.1) where the SP function is hosted.  The host name of the SAS Web Server in GCP is sas-mao-midtier.<GCP Domain> and it is listening on port 8343.
-> Both the front-end and the backend connections for the LB are HTTPS .
-> The URLs in the SP Metadata provided to the IdP are all prefixed as "https://sascloud.homedepot.com/".
-> The ServerName directive in the httpd-ssl.conf file on the SAS Web Server is set to sascloud.homedepot.com and a ServerAlias is defined for sas-mao-midtier.<GCP Domain>:8343

The login seems to be working fine.

One possible complication here is that we are doing 2 factor authentication at the IdP, so, the user is first prompted to authenticate using an ID/RSA Token, and then the user is prompted to authenticate again using an ID/PSW that is authenticated via LDAPS.

I do not believe the 2FA is a problem though since we were also looping when doing the RSA token only.  I only mention it to be complete.


Questions:
Would I find the information I need to debug this in the shibd_warm.log or the shibd.log or the native(or native_warn).log?

NOTE: I believe I have all of the debug settings enabled in the shibboleth log config files in /etc/shibboleth, so, I am getting a copious amount of information in my logs.

I apologize if I am missing something obvious, but, I am still getting my head around Shibboleth and SAML, so, there are (apparently) quite a few things that I don't know or completely understand yet.


Thanks much, Dennis








-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Friday, June 1, 2018 6:10 PM
To: Shib Users <[hidden email]>
Subject: RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

> I can ‘view’ the cookies in Chrome, and am using the dev tools in
> chrome plus a SAML tracer, but, that doesn’t tell me what is ‘bad’
> about the cookies.  I see that on the POST, my app URL, and the
> SSO.saml2?SAMLRequest named entries in the Network Trace data all have the same cookie.

That’s impossible so you're not looking at the right cookies. Two different servers don't share cookies in these exchanges.

POST -> Set-Cookie header from the SP with shibsession in the name.
Redirect -> Get -> send Cookie header back to the SP

There is no way that's happening. Or you have logs somewhere indicating it invalidated the session because even if it did happen the IP address flipped or something else is wrong.

Perhaps you have clustered this across servers with no regard for the fact that that simply doesn't work, the cache is in memory.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=QUTg05SvLnheWFas8BBmp-im0nlIxm8CO4FpoRgGd9Y&s=seSyKO6fX0rdUgjZnWPmmOCycuM6a8whlHJFejOd9K0&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

O'Quinn, Dennis
If it will help, please refer to the shibd.log excerpt below (minus DEBUG entries for brevity) of a single logon attempt with looping.....

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_791676d18ee3daf6cd8e232d76749449" IssueInstant="2018-06-01T23:23:30Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_9bc12568e2e7bb08337f3b2a86efc38e" IssueInstant="2018-06-01T23:23:32Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
<samlp:Response Version="2.0" ID="lA0NJB_l0da3YaEhENM-CyUgNbF" IssueInstant="2018-06-01T23:24:05.138Z" InResponseTo="_9bc12568e2e7bb08337f3b2a86efc38e" Destination="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://devsaml.homedepot.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#lA0NJB_l0da3YaEhENM-CyUgNbF">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>i86pQLQL9Lhgu2jUi6vGZS78q0xZPM1QZVyX7ZiMadE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LhLj/Fsg0j0PIkErgQyh80W7M+Cai42M34PjFZ1dz4cbUOlSawk3hHs492RiiHbNTS8aQo+AKs9k
43ZyXhxyKDrkEKYWxM04wJVLUGBODjwpS2X8gtJx11kkQHXUD8px2FgigHcEJhph+XffX0ScIDMV
m7kzx1qIG++mQxs+IVTM+gfkrTsE9FdcrWw+y7CUl5PJl1n9qrI/FfNuqHIC6IuXEb7vCf1YVMXH
rliAUmop01vzcAabvMnANZ4RkwHA5y4n7jKLL8X/GkgIsNnDkK6/5xccv85YflfE/yb4WUlYffEq
Aki3QWW0KJsMlOJg9XypTiYfzjOj6k+qPZxiog==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
.
.
.
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
h0AUJ3RAXh8tIl009Dq/i6vT1dQVBZ+/+NDysj2FPd5JYs7QFkjVgRJVRR0tXSJ2o/rA1KzSX982
mvLJLxvkW0BwDf47EjeZGj5ZZVi5nG22WAeMpLyRa2hnKCmD3hoeUnaRF7wzsWJpC1nYCdLiafN3
syd6ayPrjVr6Rwz/Yd8QAgkXu+hBy70xFKSdAb4NqSu+nEZzAsDsGXCF3fH9iMBsmsLXaghZmm2Y
N83tYTFpxR1vfWGo2YMGN10xGWYsBvxv3Q2jtLYXjHdqBOD3Ng2tGWKYNJqlYgGbE/OdbjrKjd03
Ln1fRgZCtW1/Vr+tbixAEC7QBJPioSAPwYTM2Q==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="byLxpEApvoSAOCI9VB5g8xaqpAG" IssueInstant="2018-06-01T23:24:05.871Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://devsaml.homedepot.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-01T23:39:05.871Z" InResponseTo="_9bc12568e2e7bb08337f3b2a86efc38e"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-06-01T23:14:05.871Z" NotOnOrAfter="2018-06-01T23:39:05.871Z"><saml:AudienceRestriction><saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement SessionIndex="byLxpEApvoSAOCI9VB5g8xaqpAG" AuthnInstant="2018-06-01T23:24:05.871Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
2018-06-01 19:24:05 WARN Shibboleth.AttributeResolver.Query [3]: no SAML 2 AttributeAuthority role found in metadata
2018-06-01 19:24:05 INFO Shibboleth.SessionCache [3]: new session created: ID (_92085e8ccf790e5f7646ef58878446d8) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)
2018-06-01 19:24:05 INFO Shibboleth.SessionCache [4]: removed session (_92085e8ccf790e5f7646ef58878446d8)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_14c249f7768cb7151d66bf5c69cc1847" IssueInstant="2018-06-01T23:24:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
<samlp:Response Version="2.0" ID="KBUeNypUjlM8ZrkBE5PQ6YaQ.2d" IssueInstant="2018-06-01T23:24:06.074Z" InResponseTo="_14c249f7768cb7151d66bf5c69cc1847" Destination="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://devsaml.homedepot.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#KBUeNypUjlM8ZrkBE5PQ6YaQ.2d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>gnNPYoU64H7CA3Vz+gQMQbayAl5k9svxnEVhaAT/a70=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
HPXPJaBxkElzzH7nlsA+SPE8svcT4VNKtsa3UPj9J64tK9R7fLFhUfHtyzjcOLThruYSKOGKnCz+
AnxSauylSLhOx9yPMXnsAKyCag6601GDprjqHfXnM74ky5qLtRVVvxBPTRbUYPOw39GADDWe8FmF
XNhvr3vBUJ0OCUBiM2dBwDn3fWnf5/AyMlXIt6yf2sUYC6NEvLsIbRp6nonj0wtRpLDM+A/b5h+m
MEYE1nx42WztIVkO3l+tei7Z5ohL74kvxymfnpN38wJvig+EwwOacOK+u9EVZLF8x3qs9L3oTKnr
7fhlwpzuBB+LR+Tl1qeFtYI/G7jgWTTb02SLfw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
.
.
.
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
h0AUJ3RAXh8tIl009Dq/i6vT1dQVBZ+/+NDysj2FPd5JYs7QFkjVgRJVRR0tXSJ2o/rA1KzSX982
mvLJLxvkW0BwDf47EjeZGj5ZZVi5nG22WAeMpLyRa2hnKCmD3hoeUnaRF7wzsWJpC1nYCdLiafN3
syd6ayPrjVr6Rwz/Yd8QAgkXu+hBy70xFKSdAb4NqSu+nEZzAsDsGXCF3fH9iMBsmsLXaghZmm2Y
N83tYTFpxR1vfWGo2YMGN10xGWYsBvxv3Q2jtLYXjHdqBOD3Ng2tGWKYNJqlYgGbE/OdbjrKjd03
Ln1fRgZCtW1/Vr+tbixAEC7QBJPioSAPwYTM2Q==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="dTXaWwtGfc3wAC.BNK.vcdFdS1b" IssueInstant="2018-06-01T23:24:07.182Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://devsaml.homedepot.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-01T23:39:07.182Z" InResponseTo="_14c249f7768cb7151d66bf5c69cc1847"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-06-01T23:14:07.182Z" NotOnOrAfter="2018-06-01T23:39:07.182Z"><saml:AudienceRestriction><saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement SessionIndex="dTXaWwtGfc3wAC.BNK.vcdFdS1b" AuthnInstant="2018-06-01T23:24:07.182Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
2018-06-01 19:24:07 WARN Shibboleth.AttributeResolver.Query [1]: no SAML 2 AttributeAuthority role found in metadata
2018-06-01 19:24:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_6b8bdc09d01b11e21b75427b68a5e713) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.168)
2018-06-01 19:24:07 INFO Shibboleth.SessionCache [2]: removed session (_6b8bdc09d01b11e21b75427b68a5e713)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_4b76c68699f08701f2a1f890ad5abf74" IssueInstant="2018-06-01T23:24:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
<samlp:Response Version="2.0" ID="wOaA0UTEfPJUYEfXtb6eGY2CkiG" IssueInstant="2018-06-01T23:24:07.353Z" InResponseTo="_4b76c68699f08701f2a1f890ad5abf74" Destination="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://devsaml.homedepot.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#wOaA0UTEfPJUYEfXtb6eGY2CkiG">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>sjJt/Zkan/pfc3ZS13qD1wKDsHpF5IAtEjDbMrLM0s8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
UdL31SxknBa52E+i6vwM7EP7HFiqE6MsfZglpZagGWiSscBSaF6EW30XVnMrV0OaHg4+H1p5TUPo
H4FKmwEk73kIyMgtOhZVXyXRTR4/r+Bf6eW6HOl8cVe8teVAIHDVbqxUW4XOO7HseVXen1qFPfa6
ZWNdnH9g/nYS1nfmCIbGtUMBm+X02XTEARiFNZc4fExtq9HzKHP4XZSgqOIU1NuIn3700rum3Yo2
fzUwqNiFd05W8Q/aicrsGCUk+edLUQ0IRWhabuUOuKkBb9YdVF//AMEn+XLtAU0wyR8u8nWWDyx8
lhZkqKyJkLFosA3PBGAbOHllCGlFtFNV9o6RVA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
.
.
.
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
h0AUJ3RAXh8tIl009Dq/i6vT1dQVBZ+/+NDysj2FPd5JYs7QFkjVgRJVRR0tXSJ2o/rA1KzSX982
mvLJLxvkW0BwDf47EjeZGj5ZZVi5nG22WAeMpLyRa2hnKCmD3hoeUnaRF7wzsWJpC1nYCdLiafN3
syd6ayPrjVr6Rwz/Yd8QAgkXu+hBy70xFKSdAb4NqSu+nEZzAsDsGXCF3fH9iMBsmsLXaghZmm2Y
N83tYTFpxR1vfWGo2YMGN10xGWYsBvxv3Q2jtLYXjHdqBOD3Ng2tGWKYNJqlYgGbE/OdbjrKjd03
Ln1fRgZCtW1/Vr+tbixAEC7QBJPioSAPwYTM2Q==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="cOcMER-67wiRBl85DFoJ4X99iEk" IssueInstant="2018-06-01T23:24:08.336Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://devsaml.homedepot.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-01T23:39:08.336Z" InResponseTo="_4b76c68699f08701f2a1f890ad5abf74"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-06-01T23:14:08.336Z" NotOnOrAfter="2018-06-01T23:39:08.336Z"><saml:AudienceRestriction><saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement SessionIndex="cOcMER-67wiRBl85DFoJ4X99iEk" AuthnInstant="2018-06-01T23:24:08.336Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
2018-06-01 19:24:08 WARN Shibboleth.AttributeResolver.Query [3]: no SAML 2 AttributeAuthority role found in metadata
2018-06-01 19:24:08 INFO Shibboleth.SessionCache [3]: new session created: ID (_976031c307ebce747c851d1dc07173ad) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.2.221)
2018-06-01 19:24:08 INFO Shibboleth.SessionCache [4]: removed session (_976031c307ebce747c851d1dc07173ad)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_919958a133397506a3ed0f7d5a9a6919" IssueInstant="2018-06-01T23:24:08Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
<samlp:Response Version="2.0" ID="DEjtQGvrOS7H-VingZ.rvuBX0wg" IssueInstant="2018-06-01T23:24:08.539Z" InResponseTo="_919958a133397506a3ed0f7d5a9a6919" Destination="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://devsaml.homedepot.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#DEjtQGvrOS7H-VingZ.rvuBX0wg">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rEodhDhnxS+nqk5xmIPz3pJnh5SjED7Ms2f0gAMBGlg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
E+7Kb999IDkQIqlu9T+3c3LpqEPNaPm7lkToZnqCW9/ltjsZptqqaZDgnI8CMpdnkq5DEhsSGTsw
JwanBrFV2Z021BReg9zzMHaV37dlHUu801WjwwjJ3TuEFGbzbqEQdQHt4No5ml06QzOEgl++cfo1
ANq6az76ySB6b1LvdmzjaAcQ7mHXLM+bV1lyhQYge2LNBO2V9FcGZxkaf311NQVjXuPGFNXSIdre
0k/3RKzoNfcJ76EigkjvHFkMKS/ZHyFWlNWPwd50vcaZHayl2tXyeTLbLh7847B0Y4lISVjXCH2Q
g2VJP9gqfitD8I2rMpE0ZraFBCVP2SvK+ud+cw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
.
.
.
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
h0AUJ3RAXh8tIl009Dq/i6vT1dQVBZ+/+NDysj2FPd5JYs7QFkjVgRJVRR0tXSJ2o/rA1KzSX982
mvLJLxvkW0BwDf47EjeZGj5ZZVi5nG22WAeMpLyRa2hnKCmD3hoeUnaRF7wzsWJpC1nYCdLiafN3
syd6ayPrjVr6Rwz/Yd8QAgkXu+hBy70xFKSdAb4NqSu+nEZzAsDsGXCF3fH9iMBsmsLXaghZmm2Y
N83tYTFpxR1vfWGo2YMGN10xGWYsBvxv3Q2jtLYXjHdqBOD3Ng2tGWKYNJqlYgGbE/OdbjrKjd03
Ln1fRgZCtW1/Vr+tbixAEC7QBJPioSAPwYTM2Q==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="CC6xukdcP3heMrxBUaZsN_QAW38" IssueInstant="2018-06-01T23:24:09.584Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://devsaml.homedepot.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dxo5ic1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Recipient="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" NotOnOrAfter="2018-06-01T23:39:09.584Z" InResponseTo="_919958a133397506a3ed0f7d5a9a6919"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-06-01T23:14:09.584Z" NotOnOrAfter="2018-06-01T23:39:09.584Z"><saml:AudienceRestriction><saml:Audience>https://sascloud.homedepot.com/shibboleth</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement SessionIndex="CC6xukdcP3heMrxBUaZsN_QAW38" AuthnInstant="2018-06-01T23:24:09.584Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
2018-06-01 19:24:09 WARN Shibboleth.AttributeResolver.Query [3]: no SAML 2 AttributeAuthority role found in metadata
2018-06-01 19:24:09 INFO Shibboleth.SessionCache [3]: new session created: ID (_53ac1bab9c3efca559d3f5ff7b81dcce) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)
2018-06-01 19:24:09 INFO Shibboleth.SessionCache [1]: removed session (_53ac1bab9c3efca559d3f5ff7b81dcce)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://sascloud.homedepot.com/Shibboleth.sso/SAML2/POST" Destination="https://thdsaml-qa.homedepot.com/idp/SSO.saml2" ID="_4395dc36d7dd554a2347b4dd8e1014ff" IssueInstant="2018-06-01T23:24:09Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sascloud.homedepot.com/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
[root@sas-mao-midtier shibboleth]#





-----Original Message-----
From: users <[hidden email]> On Behalf Of O'Quinn, Dennis
Sent: Friday, June 1, 2018 7:11 PM
To: Shib Users <[hidden email]>
Subject: RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Hi Scott, thank you for your continued (and fast) responses.

Sorry, I did not get what you were...  no clustering...  I am only saying that as I look in the chrome dev tools network trace data, I am seeing 'cookies' represented on the 3 network trace 'entry names' I mentioned... That is all that is in the network trace due to the looping.

The setup is:
-> A corporate network where the PingIdentity IdP is hosted.
-> There is a Google Cloud Load Balancer with a front end facing this corporate network listening on port 443.
-> The DNS name for this LB front end is sascloud.homedepot.com (note: the LB reference is not significant, it is only serving as the gateway into the cloud and has only 1 node in its 'pool' (i.e., the SAS Web Server)).
-> The LB back end (i.e., inside GCP) points to the SAS Web Server (Linux/Apache 2.4/Shibboleth 2.6.1) where the SP function is hosted.  The host name of the SAS Web Server in GCP is sas-mao-midtier.<GCP Domain> and it is listening on port 8343.
-> Both the front-end and the backend connections for the LB are HTTPS .
-> The URLs in the SP Metadata provided to the IdP are all prefixed as "https://sascloud.homedepot.com/".
-> The ServerName directive in the httpd-ssl.conf file on the SAS Web
-> Server is set to sascloud.homedepot.com and a ServerAlias is defined
-> for sas-mao-midtier.<GCP Domain>:8343

The login seems to be working fine.

One possible complication here is that we are doing 2 factor authentication at the IdP, so, the user is first prompted to authenticate using an ID/RSA Token, and then the user is prompted to authenticate again using an ID/PSW that is authenticated via LDAPS.

I do not believe the 2FA is a problem though since we were also looping when doing the RSA token only.  I only mention it to be complete.


Questions:
Would I find the information I need to debug this in the shibd_warm.log or the shibd.log or the native(or native_warn).log?

NOTE: I believe I have all of the debug settings enabled in the shibboleth log config files in /etc/shibboleth, so, I am getting a copious amount of information in my logs.

I apologize if I am missing something obvious, but, I am still getting my head around Shibboleth and SAML, so, there are (apparently) quite a few things that I don't know or completely understand yet.


Thanks much, Dennis








-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Friday, June 1, 2018 6:10 PM
To: Shib Users <[hidden email]>
Subject: RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

> I can ‘view’ the cookies in Chrome, and am using the dev tools in
> chrome plus a SAML tracer, but, that doesn’t tell me what is ‘bad’
> about the cookies.  I see that on the POST, my app URL, and the
> SSO.saml2?SAMLRequest named entries in the Network Trace data all have the same cookie.

That’s impossible so you're not looking at the right cookies. Two different servers don't share cookies in these exchanges.

POST -> Set-Cookie header from the SP with shibsession in the name.
Redirect -> Get -> send Cookie header back to the SP

There is no way that's happening. Or you have logs somewhere indicating it invalidated the session because even if it did happen the IP address flipped or something else is wrong.

Perhaps you have clustered this across servers with no regard for the fact that that simply doesn't work, the cache is in memory.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=QUTg05SvLnheWFas8BBmp-im0nlIxm8CO4FpoRgGd9Y&s=seSyKO6fX0rdUgjZnWPmmOCycuM6a8whlHJFejOd9K0&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=giPMBy2Meo2VxIoalQgYTFfoATuZcLhoEHEKGqN4CFI&s=HYKW0ad0YWv5u683CYyVwHbb8EVrHWoZTyKQ8pZG6KQ&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Cantor, Scott E.
In reply to this post by O'Quinn, Dennis
> Sorry, I did not get what you were...  no clustering...

Sessions live in memory inside the shibd process, so deploy two servers, client switches servers, you're done. Basic stuff. When it happens predictably and repeatedly you get looping. It's not typical since client affinity even without stickiness is rarely that repeatably consistent alternating servers.

> I am only saying that as I
> look in the chrome dev tools network trace data, I am seeing 'cookies'
> represented on the 3 network trace 'entry names' I mentioned... That is all that
> is in the network trace due to the looping.

There are cookies everywhere, from everything, in every request. That doesn't matter. The only cookie that matters is the one issued by the SP for the session from the SAML response submission and whether it's returned afterward and whether it's honored if it is. It has shibsession in the name, as I said already.

> The login seems to be working fine.
> One possible complication here is that we are doing 2 factor authentication at

The IdP has nothing to do with a loop.

> Would I find the information I need to debug this in the shibd_warm.log or the
> shibd.log or the native(or native_warn).log?

native.log probably if it's a session invalidation issue because of IP address float or if there's proof it can't find the corresponding session from the cookie for some reason, but if the cookie's just not sent, then the log won't say much of anything since it doesn't believe the client has a session at all.

Most important information is in shibd.log but simple session cookie failures are too shallow to make a dent that far into the system.

> I apologize if I am missing something obvious, but, I am still getting my head
> around Shibboleth and SAML, so, there are (apparently) quite a few things that
> I don't know or completely understand yet.

Nobody but you or somebody else with access can easily diagnose a loop, so you are going to be stuck until you develop the understanding needed to debug it, or hit up somebody who does. That's just the fact of the matter. It's trivial for anybody with experience in SSO loop to diagnose them in virtually every case and everybody else tends to have no idea what to do.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Cantor, Scott E.
In reply to this post by O'Quinn, Dennis
> 2018-06-01 19:24:09 INFO Shibboleth.SessionCache [3]: new session created: ID (_53ac1bab9c3efca559d3f5ff7b81dcce) IdP
> (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)

> 2018-06-01 19:24:09 INFO Shibboleth.SessionCache [1]: removed session
> (_53ac1bab9c3efca559d3f5ff7b81dcce)

That's deeply suspicious. It screams "IP address change" so native.log should explain why it's asking to invalidate the session it literally just created a millisecond before.

That isn't consistent with a cookie problem and the only thing it is consistent with is client addresses changing.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

O'Quinn, Dennis
Interesting, I believe they are load balancing multiple IdP servers behind a LB, are you saying the IdP changed an IP address?  Note the IP addresses and timestamps below...  Those within the same minute are, of course, the same login attempt....

2018-06-01 19:24:05 INFO Shibboleth.SessionCache [3]: new session created: ID (_92085e8ccf790e5f7646ef58878446d8) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)
2018-06-01 19:24:05 INFO Shibboleth.SessionCache [4]: removed session (_92085e8ccf790e5f7646ef58878446d8)
2018-06-01 19:24:07 INFO Shibboleth.SessionCache [1]: new session created: ID (_6b8bdc09d01b11e21b75427b68a5e713) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.168)
2018-06-01 19:24:07 INFO Shibboleth.SessionCache [2]: removed session (_6b8bdc09d01b11e21b75427b68a5e713)
2018-06-01 19:24:08 INFO Shibboleth.SessionCache [3]: new session created: ID (_976031c307ebce747c851d1dc07173ad) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.2.221)
2018-06-01 19:24:08 INFO Shibboleth.SessionCache [4]: removed session (_976031c307ebce747c851d1dc07173ad)
2018-06-01 19:24:09 INFO Shibboleth.SessionCache [3]: new session created: ID (_53ac1bab9c3efca559d3f5ff7b81dcce) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)
2018-06-01 19:24:09 INFO Shibboleth.SessionCache [1]: removed session (_53ac1bab9c3efca559d3f5ff7b81dcce)

2018-06-01 20:21:13 INFO Shibboleth.SessionCache [1]: new session created: ID (_00e41e542ef70a86e8272d523b79eaa8) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.1.52)
2018-06-01 20:21:13 INFO Shibboleth.SessionCache [2]: removed session (_00e41e542ef70a86e8272d523b79eaa8)
2018-06-01 20:21:15 INFO Shibboleth.SessionCache [3]: new session created: ID (_b38fba3119e04194e24e063d252b58f2) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.1.77)
2018-06-01 20:21:15 INFO Shibboleth.SessionCache [4]: removed session (_b38fba3119e04194e24e063d252b58f2)
2018-06-01 20:21:16 INFO Shibboleth.SessionCache [1]: new session created: ID (_c90112f37dbecbdd0db67d57b3e9933d) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.1.158)
2018-06-01 20:21:16 INFO Shibboleth.SessionCache [2]: removed session (_c90112f37dbecbdd0db67d57b3e9933d)
2018-06-01 20:21:17 INFO Shibboleth.SessionCache [3]: new session created: ID (_3d1516f52aa8b605a7abe79350b99192) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.1.97)
2018-06-01 20:21:17 INFO Shibboleth.SessionCache [4]: removed session (_3d1516f52aa8b605a7abe79350b99192)
2018-06-01 20:21:19 INFO Shibboleth.SessionCache [1]: new session created: ID (_4cd8d294c82fe94b574ec6afaeed42cd) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.2.178)
2018-06-01 20:21:19 INFO Shibboleth.SessionCache [2]: removed session (_4cd8d294c82fe94b574ec6afaeed42cd)
2018-06-01 20:21:21 INFO Shibboleth.SessionCache [3]: new session created: ID (_56f2376e9b216b7eb36f4f5f0c7c2bd5) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.1.118)
2018-06-01 20:21:21 INFO Shibboleth.SessionCache [4]: removed session (_56f2376e9b216b7eb36f4f5f0c7c2bd5)
2018-06-01 20:21:22 INFO Shibboleth.SessionCache [1]: new session created: ID (_7f98aac672ba0c80961846a19d6a9d5c) IdP (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.164)
2018-06-01 20:21:22 INFO Shibboleth.SessionCache [2]: removed session (_7f98aac672ba0c80961846a19d6a9d5c)

D

Dennis O'Quinn | EDW Infrastructure Engineering | NAE115H @ 2250 MTC
The Home Depot | Marietta Technology Center | 2250 Newmarket Parkway | Marietta, GA  30067
M: Direct: 470.689.4513 | Cell: 470.658.1183 | Internal: 24513
e: [hidden email]




-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Friday, June 1, 2018 7:50 PM
To: Shib Users <[hidden email]>
Subject: RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

> 2018-06-01 19:24:09 INFO Shibboleth.SessionCache [3]: new session created: ID (_53ac1bab9c3efca559d3f5ff7b81dcce) IdP
> (https://devsaml.homedepot.com) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (130.211.3.197)

> 2018-06-01 19:24:09 INFO Shibboleth.SessionCache [1]: removed session
> (_53ac1bab9c3efca559d3f5ff7b81dcce)

That's deeply suspicious. It screams "IP address change" so native.log should explain why it's asking to invalidate the session it literally just created a millisecond before.

That isn't consistent with a cookie problem and the only thing it is consistent with is client addresses changing.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=SqcPdMrNrFMeEOvVTT5OzwTHd-TgMXlTStAyv2MYlDw&s=wyBtDkVUc8LQcEkFHs_CiQVApYFGAYfNRoXVgUcHZ5Y&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its at
 tachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Cantor, Scott E.
> Interesting, I believe they are load balancing multiple IdP servers behind a LB,
> are you saying the IdP changed an IP address?

If you re-read my previous response you'll see that I stipulated it is impossible for the IdP to have anything to do with a loop.

  Note the IP addresses and
> timestamps below...  Those within the same minute are, of course, the same
> login attempt....

And why are they different? That's almost certainly your issue.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

O'Quinn, Dennis
Hi Scott, Thank you very much for the weekend response...

RE: my comments;  I was noting that the IP Addr of the IdP (devsaml....) was different for each of those sessions.  I have no idea why the SP (?) is having a problem and attempting to open those sessions.  I do not see anything of interest in the shibd/shibd_warn logs and nothing is being posted to the native SP logs in /var/log/shibboleth-www...

I have seen your comment below (in several forms)....
It remains the case that your cookies are at fault. That is always the
cause of a loop. Session issued, cookie set, cookie not returned, loop.

But, I have no idea how to detect or diagnose my cookie issue if that is what it is...

I have full debug enabled, so, I have a ton of data being produced, but, nothing jumps out as the 'problem' other than it goes into the looping behavior once the authentication is successful....

In the transaction log (see below), I see the posted msgs start to roll after the 2nd authentication (again, we are prompted by the IdP for 1. RSA, and then 2. LDAP)...

In the below, see the session ID changing, I see the IP Addr for the IdP changing....  But I don't know what is causing that or if it is anything more than just an indicator that there's a problem...

One thing of interest I see in the transaction log is that it is 'caching the following attributes with session (ID:...) for( applicationId: default)'...  but, it does not list any attributes...

I'm sorry, but, this is our *first* shibboleth/SAML implementation, so, we have no experience nor other systems to compare this with.  I can only say that I got a session going with testshib.org I think.  It did not get his far because it could not resolve the final URL back into our network, so, I do not know if it would have looped or not.

Again, any guidance would be greatly appreciated...

Transaction Log excerpt:
2018-06-03 19:15:05 INFO Shibboleth-TRANSACTION [2]: New session (ID: _7613e484b3a0f2561b7c5a3799d88c0f) with (applicationId: default) for principal from (IdP: https://devsaml.homedepot.com) at (ClientAddress: 130.211.3.141) with (NameIdentifier: dxo5ic1) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: dRuZt6OKjpXBTsMCTG5mvwNtgLR)
2018-06-03 19:15:05 INFO Shibboleth-TRANSACTION [2]: Cached the following attributes with session (ID: _7613e484b3a0f2561b7c5a3799d88c0f) for (applicationId: default) {
2018-06-03 19:15:05 INFO Shibboleth-TRANSACTION [2]: }
2018-06-03 19:15:06 INFO Shibboleth-TRANSACTION [4]: New session (ID: _39b36dd19f021e007d2340ef001bce7c) with (applicationId: default) for principal from (IdP: https://devsaml.homedepot.com) at (ClientAddress: 130.211.1.52) with (NameIdentifier: dxo5ic1) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: RUPoIRJ0xAOCO__WF0NU3g0yQ9.)
2018-06-03 19:15:06 INFO Shibboleth-TRANSACTION [4]: Cached the following attributes with session (ID: _39b36dd19f021e007d2340ef001bce7c) for (applicationId: default) {
2018-06-03 19:15:06 INFO Shibboleth-TRANSACTION [4]: }
2018-06-03 19:15:07 INFO Shibboleth-TRANSACTION [2]: New session (ID: _6930a2a65f4a30128a915443e160aaa5) with (applicationId: default) for principal from (IdP: https://devsaml.homedepot.com) at (ClientAddress: 130.211.1.97) with (NameIdentifier: dxo5ic1) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: sB4_V-2cXgHcCd.KXZrlve3T_vK)
2018-06-03 19:15:07 INFO Shibboleth-TRANSACTION [2]: Cached the following attributes with session (ID: _6930a2a65f4a30128a915443e160aaa5) for (applicationId: default) {
2018-06-03 19:15:07 INFO Shibboleth-TRANSACTION [2]: }
2018-06-03 19:15:08 INFO Shibboleth-TRANSACTION [4]: New session (ID: _a1740b275ae1bba6ed079f1cc4103038) with (applicationId: default) for principal from (IdP: https://devsaml.homedepot.com) at (ClientAddress: 130.211.1.64) with (NameIdentifier: dxo5ic1) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: VA1.Q_O5BUjnV8WYEpVGfThk9qv)
2018-06-03 19:15:08 INFO Shibboleth-TRANSACTION [4]: Cached the following attributes with session (ID: _a1740b275ae1bba6ed079f1cc4103038) for (applicationId: default) {
2018-06-03 19:15:08 INFO Shibboleth-TRANSACTION [4]: }


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Sunday, June 3, 2018 1:26 PM
To: Shib Users <[hidden email]>
Subject: RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

> Interesting, I believe they are load balancing multiple IdP servers
> behind a LB, are you saying the IdP changed an IP address?

If you re-read my previous response you'll see that I stipulated it is impossible for the IdP to have anything to do with a loop.

  Note the IP addresses and
> timestamps below...  Those within the same minute are, of course, the
> same login attempt....

And why are they different? That's almost certainly your issue.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=mQuhUeUbX03ES2CuY4A2fWtzzRbHOvm0Ldx5VN35L0w&s=_3NDOSR5bew7RiXgIf_DPy-Jtr_boBGH4k07zpnw4mc&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its at
 tachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: Logon is looping after apparent successful authentication.

Cantor, Scott E.
> RE: my comments;  I was noting that the IP Addr of the IdP (devsaml....) was
> different for each of those sessions.

No, that's the client's address and it shouldn't be changing if you have one client at a time testing.

  I have no idea why the SP (?) is having a
> problem and attempting to open those sessions.  I do not see anything of
> interest in the shibd/shibd_warn logs and nothing is being posted to the native
> SP logs in /var/log/shibboleth-www...

That's impossible, so I imagine you have permission errors preventing Apache from getting anything into the log. The Apache log might have some of the information needed.

> One thing of interest I see in the transaction log is that it is 'caching the
> following attributes with session (ID:...) for( applicationId: default)'...  but, it
> does not list any attributes...

Then you are getting, or mapping in, no attributes. Doesn't cause a loop.

> Again, any guidance would be greatly appreciated...

I told you, I think it's the address changing, invalidating the messages. I don't think it's a cookie issue, the log shows it removing a session that it could only have identified by accessing the cookie in the first place.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]