Error in Shibboleth login from mobile devices

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Error in Shibboleth login from mobile devices

Aseem Keskar
Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

error-screen.jpg (55K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Nate Klingenstein-5
Aseem,

Strictly speaking, that means the IdP was attempting to continue some flow(usually login) but was unable to do so.  It's usually the back button, but that's obviously unlikely here.

I would like an example of the HTTPS traffic on a working transaction and an example of a failing transaction.  All you really know from the the server side is that it's trying to continue a webflow that is invalid.

This could be a hard fix, depending on what's happening.

Take care,
Nate.

On Nov 15, 2019 8:46 PM, Aseem Keskar <[hidden email]> wrote:

Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Nate Klingenstein-5
Pardon me, that should read from the Shibboleth server, e.g. IdP.  Either end should be able to display the raw traffic.

Sorry. Internet outage here and I'm ironically bad with phones.

On Nov 15, 2019 10:19 PM, Nate Klingenstein <[hidden email]> wrote:


Aseem,

Strictly speaking, that means the IdP was attempting to continue some flow(usually login) but was unable to do so.  It's usually the back button, but that's obviously unlikely here.

I would like an example of the HTTPS traffic on a working transaction and an example of a failing transaction.  All you really know from the the server side is that it's trying to continue a webflow that is invalid.

This could be a hard fix, depending on what's happening.

Take care,
Nate.

On Nov 15, 2019 8:46 PM, Aseem Keskar <[hidden email]> wrote:

Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Aseem Keskar
Hi Nate,

We appreciate your prompt reply.

Please find the attached log file which contains the HTTPS traffic for working transactions and failing transaction.

We have taken this log from IdP server.

Kindly review and advice. Thanks for your assistance.

Thanks and regards,
Aseem Keskar


From: Nate Klingenstein <[hidden email]>
Sent: Saturday, November 16, 2019 12:00:37 PM
To: Aseem Keskar
Cc: Chetan Chaudhari; Rupesh Kale; Nilesh Raut; [hidden email]; Jyoti Sawant; Pravin Ingale
Subject: Re: Error in Shibboleth login from mobile devices
 
External Email: This email has not originated from WNS. Do not click on attachment or links/URL unless sender is reliable. Malware/ Viruses can be easily transmitted via email and also lead to a Phishing compromise.


Pardon me, that should read from the Shibboleth server, e.g. IdP.  Either end should be able to display the raw traffic.

Sorry. Internet outage here and I'm ironically bad with phones.

On Nov 15, 2019 10:19 PM, Nate Klingenstein <[hidden email]> wrote:


Aseem,

Strictly speaking, that means the IdP was attempting to continue some flow(usually login) but was unable to do so.  It's usually the back button, but that's obviously unlikely here.

I would like an example of the HTTPS traffic on a working transaction and an example of a failing transaction.  All you really know from the the server side is that it's trying to continue a webflow that is invalid.

This could be a hard fix, depending on what's happening.

Take care,
Nate.

On Nov 15, 2019 8:46 PM, Aseem Keskar <[hidden email]> wrote:

Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

logs_sample (1).txt (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Cantor, Scott E.
On 11/16/19, 8:55 AM, "users on behalf of Aseem Keskar" <[hidden email] on behalf of [hidden email]> wrote:

> Please find the attached log file which contains the HTTPS traffic for working transactions and failing transaction.

No, it doesn't. That is an IdP log, not an HTTP trace.

Your client is buggy. It's not handling redirects, cookies, and /or query strings properly and failing to interact with the web server in a conformant way. That's it.

My guess is cookies, probably. Without the right JSESSIONID cookie sent back up, the flow's not going to resume and that's the eror it will log.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Cantor, Scott E.
Another possibility is the mobile client losing affinity with the same IdP server behind a load balancer, which could be a similar cookie bug on the part of the client, or a problem with a load balancer.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Aseem Keskar
Hi Nate and Scott,

Thank you for assistance and help here.

I apologize for the confusion here. We will get the HTTPS traffic logs for working and failing transactions from IdP server. We will share the same with you for your review within one or two days. We will also compare the both the logs from our end.

For our current setup, I can see that SAML request is being sent to Shibboleth so "mobile client losing affinity with the same IdP server" is not the case here.

Also, as we are trying this on fresh browser after deleting cookies, there won't be any existing JSESSIONID cookie. So as per our understanding, browser does not have to sent JSESSIONID during the request on fresh browser.

Kindly provide your valuable feedback here.

Thanks and regards,
Aseem Keskar

From: users <[hidden email]> on behalf of Cantor, Scott <[hidden email]>
Sent: Sunday, November 17, 2019 9:31:08 AM
To: Shib Users
Subject: Re: Error in Shibboleth login from mobile devices
 
External Email: This email has not originated from WNS. Do not click on attachment or links/URL unless sender is reliable. Malware/ Viruses can be easily transmitted via email and also lead to a Phishing compromise.



Another possibility is the mobile client losing affinity with the same IdP server behind a load balancer, which could be a similar cookie bug on the part of the client, or a problem with a load balancer.

-- Scott


--
For Consortium Member technical support, see https://secure-web.cisco.com/10a4SS4xHfwWCQTJV8kwlBuojvXM_fhh3VWHNIkqLVBu-UPeIHm_XL12FCK9KYPp3NWNZ2zBkjCDJZZcUyzey6mFy0HpjF0p7UAatcGowz3m43zdz_6dyfqwP6CXtw0Gt_fgjMriat8P6VP2j8hyLPnl4lIiAFbXWCfIvesTkJlqY9FUH7sJj6KAw2N9x5L53uuR_OLrlDYAHicwySg8jPKBA1jIan2-AIpZDjn2L53xP7QRomLLeEFq02zXmeCf8JcO5Y_azvfwo4kf3CpQwxUSlN8TE29lqL5YX8Gd8U03VBbdiogOpGYYAQWT_8L8QfAcTJLvR5BSh4hMMYXnS4g/https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error in Shibboleth login from mobile devices

Cantor, Scott E.
On 11/18/19, 1:36 PM, "users on behalf of Aseem Keskar" <[hidden email] on behalf of [hidden email]> wrote:

> For our current setup, I can see that SAML request is being sent to Shibboleth so "mobile client losing affinity with the
> same IdP server" is not the case here.

There had better be exactly one server possible, or you're not really sure of anything, and I doubt there's only one server deployed.

> Also, as we are trying this on fresh browser after deleting cookies, there won't be any existing JSESSIONID cookie. So
> as per our understanding, browser does not have to sent JSESSIONID during the request on fresh browser.

That's not when the error is happening, the problem is on subsequent requests during that conversation.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Error in Shibboleth login from mobile devices

Aseem Keskar
In reply to this post by Nate Klingenstein-5

Hi Nate,

 

We have tried to find the HTTPS traffic details from the IdP server but unable to find this details.

Server Configuration

IdP Server – Unix OS and Jetty Server. (Unable to find the Https traffic details. Will the Jetty log will help here?)

SP Server – Windows R2 2016 and IIS web server

 

How can we find the exact HTTPS traffic / HTTP Request headers for working transaction and for failing transaction from the IdP server? Can you please provide some help here?

 

Thanks and Regards,

 

Aseem Keskar
Group Manager – IT - WNS Global Services (P) Ltd | www.wns.com

Gate No 4, Plant 10 / 11 Godrej & Boyce Complex, Pirojshanagar, LBS MargVikhroli (West)Mumbai,Maharashtra,

IP: 67219|Direct: | Mobile: +919004427356 | Email : [hidden email]

 

ONE WNS ONE GOAL    OUTPERFORM


cid:image8417a7.PNG@d98c7d79.4987f83e

cid:image8f23ab.PNG@468ef803.44bbb671

cid:image6d5015.PNG@8b84213d.4ea8155c

cid:image68db3b.PNG@fecf5268.4abca7d9

cid:imaged5e489.PNG@d3bf55d8.41922a6d

  Connect with WNS  

 

 

From: Nate Klingenstein <[hidden email]>
Sent: 16 November 2019 12:01
To: Aseem Keskar <[hidden email]>
Cc: Chetan Chaudhari <[hidden email]>; Rupesh Kale <[hidden email]>; Nilesh Raut <[hidden email]>; [hidden email]; Jyoti Sawant <[hidden email]>; Pravin Ingale <[hidden email]>
Subject: Re: Error in Shibboleth login from mobile devices

 

External Email: This email has not originated from WNS. Do not click on attachment or links/URL unless sender is reliable. Malware/ Viruses can be easily transmitted via email and also lead to a Phishing compromise.

 

Pardon me, that should read from the Shibboleth server, e.g. IdP.  Either end should be able to display the raw traffic.

 

Sorry. Internet outage here and I'm ironically bad with phones.

 

On Nov 15, 2019 10:19 PM, Nate Klingenstein <[hidden email]> wrote:

Aseem,

 

Strictly speaking, that means the IdP was attempting to continue some flow(usually login) but was unable to do so.  It's usually the back button, but that's obviously unlikely here.

 

I would like an example of the HTTPS traffic on a working transaction and an example of a failing transaction.  All you really know from the the server side is that it's trying to continue a webflow that is invalid.

 

This could be a hard fix, depending on what's happening.

 

Take care,

Nate.

 

On Nov 15, 2019 8:46 PM, Aseem Keskar <[hidden email]> wrote:

Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 

-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Error in Shibboleth login from mobile devices

Nate Klingenstein-5
Aseem,

The easiest way is with a tool like SAML tracer in Firefox or even just cURL on any Linux distribution.  Our company has been busy and we have to help paying customers first. We should be able to look more closely into this this weekend.

I'm sorry it's taken me so long,
Nate.

On Nov 26, 2019 5:29 AM, Aseem Keskar <[hidden email]> wrote:


Hi Nate,

 

We have tried to find the HTTPS traffic details from the IdP server but unable to find this details.

Server Configuration

IdP Server – Unix OS and Jetty Server. (Unable to find the Https traffic details. Will the Jetty log will help here?)

SP Server – Windows R2 2016 and IIS web server

 

How can we find the exact HTTPS traffic / HTTP Request headers for working transaction and for failing transaction from the IdP server? Can you please provide some help here?

 

Thanks and Regards,

 

Aseem Keskar
Group Manager – IT - WNS Global Services (P) Ltd | www.wns.com

Gate No 4, Plant 10 / 11 Godrej & Boyce Complex, Pirojshanagar, LBS MargVikhroli (West)Mumbai,Maharashtra,

IP: 67219|Direct: | Mobile: +919004427356 | Email : [hidden email]

 

ONE WNS ONE GOAL    OUTPERFORM


  Connect with WNS  

 

 

From: Nate Klingenstein <[hidden email]>
Sent: 16 November 2019 12:01
To: Aseem Keskar <[hidden email]>
Cc: Chetan Chaudhari <[hidden email]>; Rupesh Kale <[hidden email]>; Nilesh Raut <[hidden email]>; [hidden email]; Jyoti Sawant <[hidden email]>; Pravin Ingale <[hidden email]>
Subject: Re: Error in Shibboleth login from mobile devices

 

External Email: This email has not originated from WNS. Do not click on attachment or links/URL unless sender is reliable. Malware/ Viruses can be easily transmitted via email and also lead to a Phishing compromise.

 

Pardon me, that should read from the Shibboleth server, e.g. IdP.  Either end should be able to display the raw traffic.

 

Sorry. Internet outage here and I'm ironically bad with phones.

 

On Nov 15, 2019 10:19 PM, Nate Klingenstein <[hidden email]> wrote:

Aseem,

 

Strictly speaking, that means the IdP was attempting to continue some flow(usually login) but was unable to do so.  It's usually the back button, but that's obviously unlikely here.

 

I would like an example of the HTTPS traffic on a working transaction and an example of a failing transaction.  All you really know from the the server side is that it's trying to continue a webflow that is invalid.

 

This could be a hard fix, depending on what's happening.

 

Take care,

Nate.

 

On Nov 15, 2019 8:46 PM, Aseem Keskar <[hidden email]> wrote:

Hello Team,

We have implemented Shibboleth SSO login in our mobile application. Our mobile application has been built on IONIC3.

We are frequently facing issue on Shibboleth login for mobile devices where sometime it redirects to error (find the attached error screenshots) and sometime it works fine without any error. Shibboleth login for mobile device is not working consistently.

We are facing this issue in iOS device more frequently (this error appears 1 or 2 times out of 4-5 login attempts). For Android device, it is not coming so frequently like iOS (for Android error appears 1 or 2 times out of 14-15 login attempts).

We found the following error in the log file from IdP server.

[net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s2' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'.

Kindly help us to find root cause of this error and provide some solution for the same?

Thanks and regards,
Aseem Keskar--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 

-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]