SLO SessionNotFound

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SLO SessionNotFound

Liam Hoekenga
In our effort to get off of our legacy SSO, we're experimenting with SLO (yay!).
We're currently using JPA session storage.

When a SLO request comes through, I see errors like..

2019-03-14 17:46:34,120 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:356] - xxx.xxx.xxx.xxx - Profile Action ProcessLogoutRequest: IdP session f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c does not contain a matching SP session
2019-03-14 17:46:34,120 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - xxx.xxx.xxx.xxx - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
2019-03-14 17:46:34,121 - DEBUG [org.springframework.webflow.execution.ActionExecutor:53] - xxx.xxx.xxx.xxx - Finished executing net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest@55b99cba; result = SessionNotFound

In the storage records table, I see a record of id of _session and context "f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c" that appears to have a svcs record for the SP entityid in question.

I see another context f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c record with an id that matches the SP's entityid.

I see another context for the SP's entityid with an id of my principal name, and a value that contains f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c.

The entries in StorageRecords look to me like the appropriate data is there.  
What is it looking for that it can't find?

Liam

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SLO SessionNotFound

Cantor, Scott E.
> We're currently using JPA session storage.

Don't, unless you have some odd need for back channel logout and apps that would support it.

> What is it looking for that it can't find?

Probably a match on the NameID that isn't technically correct due to a broken app (if it's not a Shibboleth SP) but there's not enough here to conclude anything.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SLO SessionNotFound

Takeshi NISHIMURA
In reply to this post by Liam Hoekenga
Hi Liam,

> I see another context for the SP's entityid with an id of my principal name, and a value that contains f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c.

I happened to find our records that correspond to what you described above contain Transient IDs in id column.
Which version of Shibboleth IdP are you using?


BTW, idp.properties states:

> # Set to "shibboleth.StorageService" for server-side storage of user sessions
> #idp.session.StorageService = shibboleth.ClientSessionStorageService

but this instruction resulted in failure in my environment.
I cannot find how to make shibboleth.StorageService server-side. It seems to use memory storage by default.

Takeshi

On 2019/03/15 6:59, Liam Hoekenga wrote:

> In our effort to get off of our legacy SSO, we're experimenting with SLO (yay!).
> We're currently using JPA session storage.
>
> When a SLO request comes through, I see errors like..
>
> 2019-03-14 17:46:34,120 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:356] - xxx.xxx.xxx.xxx - Profile Action ProcessLogoutRequest: IdP session f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c does not contain a matching SP session
> 2019-03-14 17:46:34,120 - INFO [net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:402] - xxx.xxx.xxx.xxx - Profile Action ProcessLogoutRequest: No active session(s) found matching LogoutRequest
> 2019-03-14 17:46:34,121 - DEBUG [org.springframework.webflow.execution.ActionExecutor:53] - xxx.xxx.xxx.xxx - Finished executing net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest@55b99cba; result = SessionNotFound
>
> In the storage records table, I see a record of id of _session and context "f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c" that appears to have a svcs record for the SP entityid in question.
>
> I see another context f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c record with an id that matches the SP's entityid.
>
> I see another context for the SP's entityid with an id of my principal name, and a value that contains f0f1d32d607ab70fd5125374320f0470dc39cd8b12d47b4fc4e3413f2a7c516c.
>
> The entries in StorageRecords look to me like the appropriate data is there.
> What is it looking for that it can't find?
>
> Liam
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SLO SessionNotFound

Cantor, Scott E.
> BTW, idp.properties states:
>
> > # Set to "shibboleth.StorageService" for server-side storage of user
> > sessions #idp.session.StorageService = shibboleth.ClientSessionStorageService

Yes, that's the default.

> but this instruction resulted in failure in my environment.
> I cannot find how to make shibboleth.StorageService server-side. It seems to
> use memory storage by default.

Memory would be server-side. shibboleth.StorageService is the bean for the default memory-only storage option that's not clusterable. The comment probably could note that I guess. But you can define your own storage service beans, then just set the various properties to reference that anyplace you want that bean used. There's really only one likely use case for server-side sessions, the ability to terminate an active session. We'll need to provide some user-level revocation features in V4 or V5.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SLO SessionNotFound

Takeshi NISHIMURA
Oops. I misunderstood. Thanks Scott.

ref. https://wiki.shibboleth.net/confluence/display/IDP30/StorageConfiguration

Best regards,
Takeshi

> 2019/03/15 22:34、Cantor, Scott <[hidden email]> wrote:
>
>> BTW, idp.properties states:
>>
>>> # Set to "shibboleth.StorageService" for server-side storage of user
>>> sessions #idp.session.StorageService = shibboleth.ClientSessionStorageService
>
> Yes, that's the default.
>
>> but this instruction resulted in failure in my environment.
>> I cannot find how to make shibboleth.StorageService server-side. It seems to
>> use memory storage by default.
>
> Memory would be server-side. shibboleth.StorageService is the bean for the default memory-only storage option that's not clusterable. The comment probably could note that I guess. But you can define your own storage service beans, then just set the various properties to reference that anyplace you want that bean used. There's really only one likely use case for server-side sessions, the ability to terminate an active session. We'll need to provide some user-level revocation features in V4 or V5.
>
> -- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]