error seen by user when 'Rejecting replayed message ID'?
I'm still trying to sort out a problem with a client whose application
is getting NoSuchFlow errors sporadically when trying to authenticate.
The operator of the idp involved is pointing to some 'Rejecting replayed
message ID' logs around the same time as the issue occurred. I didn't
think that would return the same "maybe you hit the back button" error
page as the application is receiving, but I don't know that I've ever
experienced the replay error myself.
What would one expect to see in a browser as far as an error message
when the idp thinks it has detected a replayed message and aborts the
> What would one expect to see in a browser as far as an error message
> when the idp thinks it has detected a replayed message and aborts the
The same page.
More usefully, you can determine (and control) all of this, it's not hardwired and it's not hidden behavior. The event ID is "MessageReplay", which should be audit-loggable. The rest is all visible in system/messages/messages.properties and error.vm and is all just example behavior.
The only subtlety is that technically MessageReplay doesn't come defined as a "local" error and would cause an error to be sent back to the SP, but a replay is too early and invalidates the possibility of issuing a response.
Re: Ex: Re: error seen by user when 'Rejecting replayed message ID'?
On Fri, Jan 03, 2020 at 01:00:06PM +0000, Cantor, Scott wrote:
> > What would one expect to see in a browser as far as an error message
> > when the idp thinks it has detected a replayed message and aborts the
> > authentication?
> The same page.
Ok, thanks much for the confirmation. The client is seeing the same
error page, but now the idp is logging a message replay error rather
than a NoSuchFlow error, so it's not quite the same failure. This issue
is a real headache, between all the players involved and the lack of
direct access to the pieces I feel like the blind men and the elephant
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an email to [hidden email]