SLO not working in IE/Edge

Description

After performing SLO from a Shibboleth IdP in IE/Edge, attempting to log in again results in a ConstraintViolationException:

net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Context cannot be null or empty
at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)

(no further stacktrace provided in the logs)

When running with logging in DEBUG, this is preceded by a logging line:

[net.shibboleth.idp.session.impl.StorageBackedSessionManager:792] [10.8.0.237] - Performing primary lookup on session ID

Note the lack of a session identifier following the words "session ID" where there would usually be one.

This seems to be caused by an Expire setting not getting set on the shib_idp_session during logout, just a Max-Age=0 setting, which IE does not support. The result is that shib_idp_session gets set to a blank string, which is then passed back to Shibboleth when next logging in.

Deleting the shib_idp_session cookie using the browser developer tools makes things start working again.

Environment

Shibboleth 3.3.3 running inside Tomcat 8.5.9 on Oracle Java 1.8.0_121 on RHEL7. The MemcachedStorageService backend is in use for session storage.

Activity

Unidentified Legacy Account March 13, 2017 at 4:46 PM
Edited

I've not explicitly set that, no (and I've just double checked to make sure I haven't), so it does seem odd that I need to explicitly set it.

Unidentified Legacy Account March 13, 2017 at 4:40 PM
Edited

That looks like what I did (though I explicitly set the className too, but that's not actually required).

Scott Cantor March 13, 2017 at 3:17 PM

Also, it seems like this should be defaulting to true anyway. Did you explicitly set org.apache.catalina.STRICT_SERVLET_COMPLIANCE to true? That defaults to false, and the documentation says that setting it to true is what makes alwaysAddExpires default to false.

Scott Cantor March 13, 2017 at 3:14 PM

I added an example to the Tomcat8 page, if you could verify or correct that example I'd appreciate it.

Scott Cantor March 13, 2017 at 3:04 PM

r8675 applied to trunk

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created March 13, 2017 at 2:05 PM
Updated August 6, 2021 at 10:25 PM
Resolved March 13, 2017 at 3:04 PM