Uploaded image for project: 'Shibboleth SP - C++'
  1. Shibboleth SP - C++
  2. SSPCPP-669

cached samlds.json files prematurely removed w/ multiple applicationIds

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.4, 2.5.5
    • Fix Version/s: 2.5.6
    • Component/s: None
    • Labels:
      None
    • Environment:

      FreeBSD 10.1, apache 2.4 using MPM event.

    • Operating System:
      Multiple
    • CPU Type:
      Multiple
    • C/C++ Compiler:
      Multiple
    • Web Server:
      Apache 2.4

      Description

      We have two applicationIDs, on the same apache+shibboleth server, that use SAMLDS. The problem we see is that occasionally, up to every other minute, a user gets an error using the SAMLDS feed (serverurl/Shibboleth.sso/DiscoFeed):

      apache error log:

      [Fri Aug 28 11:25:19.029185 2015] [mod_shib:error] [pid 29731:tid 34515038208] [client 80.254.244.194:54035] error while processing request:Unable to access cached feed in (/var/cache/shibboleth//975b5865.json)., referer: https://servername.domain.tld/login/samlds.jsp?entityID=https%3A%2F%2Fservername.domain.tld%2FShibboleth.sso%2FMetadata&return=https%3A%2F%2Fservername.domain.tld%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A181043fea37e73faf31f1e50105b72e96ce360450205009c0aca7ae52a380149
      

      This started after upgrading from 2.5.3 to 2.5.4 (or 2.5.5) in july. With 2.5.4, a bug was fixed so older cached json files where appropriately removed. My suspicion is that the fix in Shibboleth-SP 2.5.4 SSPCPP-612 triggers a bug when using multiple samlds applicaionId:s, in that they remove each other's samlds.json files.

      I.e. app1 removes app2's cached files somewhat prematurely, and vice versa.

      This is of course just a guess, I cannot see why that would happen from looking at the code, but the theory fits well with the problem at hand.

      We use shibboleth with about 50 differents setups for different customers, all using the same installed versions of OS, apache and shibboleht. Only one has two applicationId:s (2 different hostnames) using SAMLDS. Only those two applicationsId:s have problems.

      Removing this patch would surely fix the problem (but leave a horrible amount of cached files behind again).

      configuration

      		<!-- app1 -->
      
      		<ApplicationOverride id="app1"
      			entityID="https://servername1/shibboleth"
      			REMOTE_USER="eppn personalIdentityNumber norEduPersonNIN">
      			<Sessions checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https">
      				<SSO ignoreNoPassive="true" discoveryProtocol="SAMLDS"
      					discoveryURL="https://servername1/login/samlds.jsp"> SAML2
      				</SSO>
      			</Sessions>
      
      		<!-- app2 -->
      		<ApplicationOverride id="app2"
      			entityID="https://servername2/Shibboleth.sso/Metadata"
      			REMOTE_USER="eppn personalIdentityNumber norEduPersonNIN persistent-id targeted-id">
      
      			<Sessions checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https">
      				<SSO ignoreNoPassive="true" discoveryProtocol="SAMLDS"
      					discoveryURL="https://servername2/login/samlds.jsp"> SAML2
      				</SSO>
      			</Sessions>
      

      and two virtual hosts in apache, each with

        <Location />
          ShibRequestSetting applicationId app1
        </Location>
      

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            q++kqeknuoqs4/w/9vk2fczi+lk=@https://saml.sys.kth.se/idp/shibboleth q++kqeknuoqs4/w/9vk2fczi+lk=@https://saml.sys.kth.se/idp/shibboleth
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 30 minutes
                1h 30m