Error invoking Velocity template

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Error invoking Velocity template

dhina
We have a user who has issue accessing services using shibboleth IDP(3.1.x).
No other users have this issue. I don't see anything out of the ordinary in
Active Directory for this user.

User is presented with login screen and after authentication instead of
redirected to the service, the user gets an error message from the IDP.
When I checked the logs, the ldap bind works fine and the user was
authenticated successfully.
Here is last part of log where the error happens. Any pointer to
troubleshoot further is greatly appreciated.
-----------------------------------
2020-01-15 09:01:00,910 - DEBUG
[org.opensaml.saml.common.SAMLObjectContentReference:165] - Adding list of
inclusive namespaces for signature exclusive canonicalization transform
2020-01-15 09:01:00,920 - DEBUG
[net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
- Looking up message encoder based on binding URI:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2020-01-15 09:01:00,921 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:159] -
Invoking Velocity template to create POST body
2020-01-15 09:01:00,921 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:192] -
Encoding action url of
'https://adbe-gwu-dot-edu-fda6-prd.okta.com/auth/saml20/accauthlinktest'
with encoded value
'https://adbe-gwu-dot-edu-fda6-prd.okta.com/auth/saml20/accauthlinktest'
2020-01-15 09:01:00,922 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:198] -
Marshalling and Base64 encoding SAML message
2020-01-15 09:01:00,923 - WARN
[org.opensaml.saml.common.binding.SAMLBindingSupport:91] - Relay state
exceeds 80 bytes, some peers may not support this.
2020-01-15 09:01:00,923 - DEBUG
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:220] -
Setting RelayState parameter to:
'%2Fapp%2Ftemplate_saml_2_0%2Fexk1ve1ymsCBKQpyp0x7%2Fsso%2Fsaml%3FRelayState%3D6f119eba-9cd8-439d-95a3-f58485136128',
encoded as
'%2Fapp%2Ftemplate_saml_2_0%2Fexk1ve1ymsCBKQpyp0x7%2Fsso%2Fsaml%3FRelayState%3D6f119eba-9cd8-439d-95a3-f58485136128'
2020-01-15 09:01:00,934 - ERROR
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:175] - Error
invoking Velocity template
java.io.IOException: Response header too large
        at
org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:400)
Caused by: java.nio.BufferOverflowException: null
        at java.nio.Buffer.nextPutIndex(Buffer.java:521)
2020-01-15 09:01:00,942 - ERROR
[org.opensaml.profile.action.impl.EncodeMessage:154] - Profile Action
EncodeMessage: Unable to encode outbound response
org.opensaml.messaging.encoder.MessageEncodingException: Error creating
output document
        at
org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:176)
Caused by: java.io.IOException: Response header too large
        at
org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:400)
Caused by: java.nio.BufferOverflowException: null
        at java.nio.Buffer.nextPutIndex(Buffer.java:521)
2020-01-15 09:01:00,946 - ERROR [java.lang.RuntimeException:76] -
java.lang.RuntimeException: java.lang.IllegalStateException: Exception
occurred rendering view
org.springframework.web.servlet.view.velocity.VelocityView: name 'error';
URL [error.vm]
        at
net.shibboleth.idp.profile.impl.RethrowingFlowExecutionExceptionHandler.handle(RethrowingFlowExecutionExceptionHandler.java:40)
Caused by: java.lang.IllegalStateException: Exception occurred rendering
view org.springframework.web.servlet.view.velocity.VelocityView: name
'error'; URL [error.vm]
        at
org.springframework.webflow.mvc.view.AbstractMvcView.render(AbstractMvcView.java:200)
Caused by: java.lang.IllegalStateException: STREAM
--------------------------------

Thanks,
-Dhina



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error invoking Velocity template

Brent Putman


On 1/15/20 12:21 PM, dhina wrote:
We have a user who has issue accessing services using shibboleth IDP(3.1.x).
No other users have this issue. I don't see anything out of the ordinary in
Active Directory for this user.

The error is puzzling, I don't personally off-hand remember anything like it.  But the first thing to do is get your IdP updated to a supported version. 3.1.x is years old and is no longer supported. Update to the latest version 3.4.6. If the problem persists in the latest version, then we can look into it in detail.  This may be a bug that has long since been fixed in a subsequent release.

Also, the root cause is actually this:

2020-01-15 09:01:00,934 - ERROR
[org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:175] - Error
invoking Velocity template
java.io.IOException: Response header too large
        at
org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:400)
Caused by: java.nio.BufferOverflowException: null
        at java.nio.Buffer.nextPutIndex(Buffer.java:521)

That directly involves Jetty, it is the software that is throwing.  Since you are on a very old and unsupported IdP version, I'd also check your Jetty version and update if necessary.  This might very well be a Jetty bug.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error invoking Velocity template

dhina
Brent,
Thanks for the input.
We had the configuration to get all the attributes from AD.
For this particular user, directReports attribute was too large(~500 users
reporting to this person).
This one was causing the issue. After we changed the configuration to get
just the required attributes(8 in total), the issue was resolved. I guess
the issue was with jetty not able to handle that amount of data.
Now, planning for our IDP upgrade.

Thanks,
-Dhina



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Error invoking Velocity template

Brent Putman


On 1/22/20 2:45 PM, dhina wrote:
For this particular user, directReports attribute was too large(~500 users
reporting to this person).
This one was causing the issue. After we changed the configuration to get
just the required attributes(8 in total), the issue was resolved. I guess
the issue was with jetty not able to handle that amount of data.


Hmm, ok.  Glad that resolved it... but I'm not clear why.  All of the SAML data being emitted there for the POST binding would go in the HTML in the body of the HTTP response, not in the header.  So off-hand I don't see how those 2 things could be connected.  Maybe someone else will point out something obvious I'm missing...

Or maybe the Jetty error message is just misleading and/or they do in fact have some kind of bug there.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]