Shibboleth server side session storage broken
Closed this issue · 3 comments
mzico commented
Server side session storage not storing user identifier for next SSO session.
Situation
- Multiple SAML apps
- First SAML SSO working okay
- If I try to login to another ( next ) SP which is connected with Gluu Server in same browser / tab, Shibboleth throwing error.
- Here is a screencast which has three servers:
- test41.gluu.org / Gluu Server 4.1
- samlapp.gluu.org / 1st SP
- samlapp2.gluu.org / 2nd SP
- First SSO working okay, next SSO failing.
- Screencast: https://youtu.be/nuDnNl0FZro
Workaround
In idp.properties file there is a configuration: idp.session.StorageService = shibboleth.GluuStorageService
If we replace that with idp.session.StorageService = shibboleth.StorageService
It's working properly.
Stack trace
Here is the stack trace of 2nd SSO. It's from 'idp-process.log':
2020-03-22 20:15:05,569 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:100] - Decoded RelayState: ss:mem:543499ab4cf091efcfc44b8a97d4cd9e79bae380819c7ea44f7e1fedfa0b8a64
2020-03-22 20:15:05,569 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:134] - Base64 decoding and inflating SAML message
2020-03-22 20:15:05,570 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:110] - Decoded SAML message
2020-03-22 20:15:05,571 - 209.205.221.187 - DEBUG [PROTOCOL_MESSAGE:127] -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://samlapp.gluu.org/Shibboleth.sso/SAML2/POST"
Destination="https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO"
ID="_8c1f78b804065d8a435e340a261d89c6"
IssueInstant="2020-03-22T20:15:04Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://samlapp.gluu.org/shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"/>
</samlp:AuthnRequest>
2020-03-22 20:15:05,571 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context
2020-03-22 20:15:05,572 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,573 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context
2020-03-22 20:15:05,573 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:434] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Metadata backing store does not contain any EntityDescriptors with the ID: https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,574 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:184] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://samlapp.gluu.org/shibboleth]
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:586] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Candidates iteration was empty, nothing to filter via predicates
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:184] - Metadata Resolver FilesystemMetadataResolver SiteSP2: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://samlapp.gluu.org/shibboleth]
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:590] - Metadata Resolver FilesystemMetadataResolver SiteSP2: Attempting to filter candidate EntityDescriptors via resolved Predicates
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:612] - Metadata Resolver FilesystemMetadataResolver SiteSP2: After predicate filtering 1 EntityDescriptors remain
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:266] - Resolved 1 source EntityDescriptors
2020-03-22 20:15:05,575 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:277] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:378] - Attempting to filter candidate RoleDescriptors via resolved Predicates
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:145] - Message Handler: org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext
2020-03-22 20:15:05,576 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:158] - Message Handler: Selecting default AttributeConsumingService, if any
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:167] - Message Handler: No AttributeConsumingService selected
2020-03-22 20:15:05,577 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:314] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty
2020-03-22 20:15:05,578 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request
2020-03-22 20:15:05,579 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/security-policy/saml2-sso into interceptor context
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/security-policy/saml2-sso for applicability...
2020-03-22 20:15:05,580 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/security-policy/saml2-sso
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,581 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:157] - Message Handler: Checking SAML message intended destination endpoint against receiver endpoint
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:190] - Message Handler: Intended message destination endpoint: https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:191] - Message Handler: Actual message receiver endpoint: https://test41.gluu.org/idp/profile/SAML2/Redirect/SSO
2020-03-22 20:15:05,582 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:204] - Message Handler: SAML message intended destination endpoint matched recipient endpoint
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' on INBOUND message context
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,583 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler:152] - Message Handler: Evaluating message replay for message ID '_8c1f78b804065d8a435e340a261d89c6', issue instant '2020-03-22T20:15:04.000Z', entityID 'https://samlapp.gluu.org/shibboleth'
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,584 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:83] - SPSSODescriptor for entity ID 'https://samlapp.gluu.org/shibboleth' does not require AuthnRequests to be signed
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,585 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler:103] - Message Handler: SAML protocol message was not signed, skipping XML signature processing
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,586 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:158] - Message Handler: HTTP request was not signed via simple signature mechanism, skipping
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler' on INBOUND message context
2020-03-22 20:15:05,587 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:149] - Message Handler: Evaluating simple signature rule of type: org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:152] - Message Handler: Handler can not handle this request, skipping
2020-03-22 20:15:05,588 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.CheckMandatoryIssuer' on INBOUND message context
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.WriteProfileInterceptorResultToStorage:68] - Profile Action WriteProfileInterceptorResultToStorage: No results available from interceptor context, nothing to store
2020-03-22 20:15:05,589 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2020-03-22 20:15:05,590 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2020-03-22 20:15:05,595 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:375] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2020-03-22 20:15:05,595 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:516] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2020-03-22 20:15:05,596 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.AbstractEndpointResolver:220] - Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Returning 4 candidate endpoints of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService
2020-03-22 20:15:05,596 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:418] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location https://samlapp.gluu.org/Shibboleth.sso/SAML2/POST using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:387] - No AttributeConsumingService was resolved, won't be able to determine delegation requested status via metadata
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:520] - No AttributeConsumingService was available
2020-03-22 20:15:05,597 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:505] - Delegation request was not explicitly indicated, using default value: NOT_REQUESTED
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:294] - Issuance of a delegated Assertion is not in effect, skipping further processing
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:211] - Profile Action PopulateSignatureSigningParameters: Signing enabled
2020-03-22 20:15:05,598 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:194] - Message Handler: Signing enabled
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:207] - Message Handler: Resolving SignatureSigningParameters for request
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:237] - Message Handler: Adding metadata to resolution criteria for signing/digest algorithms
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver:108] - Resolved signature algorithm URI from SAML metadata SigningMethod: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
2020-03-22 20:15:05,599 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver:189] - Resolved reference digest method algorithm URI from SAML metadata DigestMethod: http://www.w3.org/2001/04/xmlenc#sha512
2020-03-22 20:15:05,600 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.binding.impl.PopulateSignatureSigningParametersHandler:248] - Message Handler: Resolved SignatureSigningParameters
2020-03-22 20:15:05,601 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:214] - Profile Action PopulateSignatureSigningParameters: Signing not enabled
2020-03-22 20:15:05,601 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:296] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2020-03-22 20:15:05,602 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:306] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2020-03-22 20:15:05,602 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:371] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2020-03-22 20:15:05,603 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:382] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2020-03-22 20:15:05,603 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:260] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION. Effective entityID was: https://samlapp.gluu.org/shibboleth
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:352] - Resolved cached credentials from KeyDescriptor object metadata
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:388] - Resolved data encryption algorithm URI from SAML metadata EncryptionMethod: http://www.w3.org/2009/xmlenc11#aes128-gcm
2020-03-22 20:15:05,604 - 209.205.221.187 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:342] - Resolved key transport algorithm URI from SAML metadata EncryptionMethod: http://www.w3.org/2009/xmlenc11#rsa-oaep
2020-03-22 20:15:05,605 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:322] - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters
2020-03-22 20:15:05,607 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2020-03-22 20:15:05,607 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:154] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do
2020-03-22 20:15:05,608 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.impl.ExtractProxiedRequestersHandler' on INBOUND message context
2020-03-22 20:15:05,609 - 209.205.221.187 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2020-03-22 20:15:05,609 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:138] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2020-03-22T20:15:05.609Z, isPassive=false, forceAuthn=false, hintedName=null, maxAge=0, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, initialAuthenticationResult=null, authenticationResult=null, completionInstant=1970-01-01T00:00:00.000Z}
2020-03-22 20:15:05,610 - 209.205.221.187 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:174] - Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain a RequestedAuthnContext, nothing to do
2020-03-22 20:15:05,611 - 209.205.221.187 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:221] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext
2020-03-22 20:15:05,612 - 209.205.221.187 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedSessionManager:798] - Performing primary lookup on session ID 35c3acafd6337bb079f9e68b99f6df136d6ac64b48f0f622a4dda55905e71589
2020-03-22 20:15:05,616 - 209.205.221.187 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:90] - Updating expiration of master record for session 35c3acafd6337bb079f9e68b99f6df136d6ac64b48f0f622a4dda55905e71589 to 2020-03-23T21:15:05.616Z
2020-03-22 20:15:05,618 - 209.205.221.187 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty
at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)
2020-03-22 20:15:05,619 - 209.205.221.187 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
2020-03-22 20:15:05,619 - 209.205.221.187 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:170] - Error event RuntimeException will be handled locally
malotian commented
I tried reproducing it, but for me its working fine by default
https://sp1.gluu.org:8443
https://sp2.gluu.org:9443
And It worked all fine, for 2nd it got authenticated without asking credentials and landed on application
malotian commented
Solution: 1. Download https://ox.gluu.org/maven/org/gluu/oxshibbolethIdp/4.1.1.Final/oxshibbolethIdp-4.1.1.Final.war
2. rename oxshibbolethIdp-4.1.1.Final.war to idp.war
3. copy idp.war to /opt/gluu-server/opt/gluu/jetty/idp/webapps
4. restart idp by service idp restart