SP3: Cannot get session recovery to work across nodes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SP3: Cannot get session recovery to work across nodes

Wise, Tony (CGI Federal)

Hi all, we are attempting to use session recovery across SP nodes without success and having a hard time finding any related info. Here is what we have in the shibboleth2.xml file related to this:

 

<DataSealer type="Static" key="KohVO7WQkf3I0w3ROCurjA==" />

<SessionCache type="StorageService" persistedAttributes="HTTP_EUA" />

 

And this is what we see in the SP logs on the node that did NOT create the session:

 

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.SessionCache [38] shib_check_user [default]: searching local cache for session (_b2ad5fbb9a887cda667e93cc6b2b1612)

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.SessionCache [38] shib_check_user [default]: session not found locally, remoting the search

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.Listener [38] shib_check_user [default]: sending message (find::StorageService::SessionCache)

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.Listener [38] shib_check_user [default]: send completed, reading response message

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.SessionCache [38] shib_check_user [default]: session not found in remote cache

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.SessionInitiator.SAML2 [38] shib_check_user [default]: attempting to initiate session using SAML 2.0 with provider (http://www.okta.com/exk4rynlzm0QpuLKZ297)

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.Listener [38] shib_check_user [default]: sending message (default/Login::run::SAML2SI)

sp-native 2021-01-05 17:06:50 DEBUG Shibboleth.Listener [38] shib_check_user [default]: send completed, reading response message

sp-native 2021-01-05 17:06:50 DEBUG XMLTooling.ParserPool : asked to resolve classpath:/schema/shibboleth-2.0-afp.xsd with baseURI /usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-basic.xsd

 

Any pointers or help would be much appreciated. Generally all we need in the headers is the HTTP_EUA attribute at this point. And I am not sure if there is supposed to be another cookie (session recovery) but if so, it does not seem to be created.

 

Cheers,

 

Tony Wise

Solution Architect

PMP, CSM, AWS Certified Cloud Practitioner

 

CGI Federal
12601 Fairlakes Circle Fairfax, VA 22033
Tel 703.227.7287 | Cell 703.851.6963
[hidden email] | http://www.cgi.com

 

CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply email.

 

Please consider the environment before printing this email or its attachments.

 

Proprietary/confidential information belonging to CGI Federal Inc. or its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for the delivery of this message to such person), or if you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply email.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP3: Cannot get session recovery to work across nodes

Cantor, Scott E.
On 1/5/21, 2:15 PM, "users on behalf of Wise, Tony (CGI Federal)" <[hidden email] on behalf of [hidden email]> wrote:

>    <SessionCache type="StorageService" persistedAttributes="HTTP_EUA" />

That is very unlikely to be the name of an attribute, that's an HTTP header name. That is not the same thing. I would have to check but I suspect if it does not contain any attributes that are meant to be persisted, it won't bother doing it, but that may also be a mistaken assumption, I don't have the code in front of me.

-- Scott
 

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP3: Cannot get session recovery to work across nodes

Cantor, Scott E.
>    That is very unlikely to be the name of an attribute, that's an HTTP header name. That is not the same thing. I would
> have to check but I suspect if it does not contain any attributes that are meant to be persisted, it won't bother doing it,
> but that may also be a mistaken assumption, I don't have the code in front of me.

I do now, and tha's both correct and logged.

602     if (attrs.integer() == 0) {
 603         m_log.info("session (%s) contained no attributes requiring persistence, will not be recoverable", session.name());
 604         return;
 605     }

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]