error seen by user when 'Rejecting replayed message ID'?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

error seen by user when 'Rejecting replayed message ID'?

Paul Henson
I'm still trying to sort out a problem with a client whose application
is getting NoSuchFlow errors sporadically when trying to authenticate.
The operator of the idp involved is pointing to some 'Rejecting replayed
message ID' logs around the same time as the issue occurred. I didn't
think that would return the same "maybe you hit the back button" error
page as the application is receiving, but I don't know that I've ever
experienced the replay error myself.

What would one expect to see in a browser as far as an error message
when the idp thinks it has detected a replayed message and aborts the
authentication?

Thanks much...
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error seen by user when 'Rejecting replayed message ID'?

Cantor, Scott E.
On 1/2/20, 11:55 PM, "users on behalf of Paul Henson" <[hidden email] on behalf of [hidden email]> wrote:

> What would one expect to see in a browser as far as an error message
> when the idp thinks it has detected a replayed message and aborts the
> authentication?

The same page.

More usefully, you can determine (and control) all of this, it's not hardwired and it's not hidden behavior. The event ID is "MessageReplay", which should be audit-loggable. The rest is all visible in system/messages/messages.properties and error.vm and is all just example behavior.

The only subtlety is that technically MessageReplay doesn't come defined as a "local" error and would cause an error to be sent back to the SP, but a replay is too early and invalidates the possibility of issuing a response.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ex: Re: error seen by user when 'Rejecting replayed message ID'?

Paul Henson
On Fri, Jan 03, 2020 at 01:00:06PM +0000, Cantor, Scott wrote:

> > What would one expect to see in a browser as far as an error message
> > when the idp thinks it has detected a replayed message and aborts the
> > authentication?
>
> The same page.

Ok, thanks much for the confirmation. The client is seeing the same
error page, but now the idp is logging a message replay error rather
than a NoSuchFlow error, so it's not quite the same failure. This issue
is a real headache, between all the players involved and the lack of
direct access to the pieces I feel like the blind men and the elephant
8-/.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]