Too Many Redirects AND No State Errors

1,438 views
Skip to first unread message

Jon August

unread,
Sep 19, 2016, 4:48:43 PM9/19/16
to SimpleSAMLphp
Hi,

I have moved from a test environment where my SimpleSAMLphp setup works fine to a production environment where presumably only the Federation server URL and the SSL certs have changed - although the web server configuration is a slightly different.  However, now I am getting Too Many Redirects when I go to login as administrator on the installation page AND I get a:

SimpleSAML_Error_NoState: NOSTATE

Error when I try to connect to my authentication source from the installation page.

In the logs, there is a request and a successful response from the Federation server, but in between, I see this:

Loading state: '_ec620521fa20c2f2dfe217300a5348ed377b31fb23'
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] SimpleSAML_Error_NoState: NOSTATE
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] Backtrace:
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] 2 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/lib/SimpleSAML/Auth/State.php:263 (SimpleSAML_Auth_State::loadState)
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] 1 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/saml/www/sp/saml2-acs.php:78 (require)
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] 0 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/www/module.php:127 (N/A)
Sep 19 16:38:37 simplesamlphp ERROR [4e62127398] Error report with id cbed61ad generated.
Sep 19 16:38:37 simplesamlphp DEBUG [4e62127398] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/dictionaries/errors]
Sep 19 16:38:37 simplesamlphp DEBUG [4e62127398] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/no_state]

I'm a bit flummoxed about how to resolve this No State issue, but I feel like it may be related to the issue that is causing the Too Many Redirects issue.

Any help locating the issue is appreciated.  Let me know if there's something you'd like to see to help.

Thanks!

Jon

Jaime Perez Crespo

unread,
Sep 20, 2016, 2:45:12 AM9/20/16
to simple...@googlegroups.com
Hi Jon,

That sounds like a configuration issue. Make sure your session cookies are set appropriately so that SimpleSAMLphp can find them not only when you access it directly, but also when you use it from your applications.

If you keep having problems, ask again and try to give us a bit more details (general setup, configuration, and a broader part of the log, since the context before the actual error could also explain why the error is happening).
--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Jon August

unread,
Sep 20, 2016, 1:58:26 PM9/20/16
to SimpleSAMLphp
Hi Jaime,

I set up my own set of pages to set and get data from a PHP session and it seems fine.  I am truly stumped - having tried multiple things to resolve this.  I did an HTTP trace when trying to login as administrator on the simplesaml installation page.  This is what that looks like (various details have been obscured).  One bizarre detail I'm noticing is that the Cookie that gets set has an expiration date in the past.  However, my development environment does the same thing and it works fine.  Below the HTTP Trace, I'm including the request and response from the simplesamlphp log.  Notice that there is a Successful response after the No State error.

Any ideas?

===========HTTP TRACE================

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: WT_FPC=id=10.9.97.249-237925568.30469917:lv=1446491376542:ss=1446491376542; __utma=235480898.2101344954.1429301107.1446477916.1446491377.4; PHPSESSID=humb6nirgh4bh63oes1pvgavh3; _ga=GA1.2.2101344954.1429301107; PHPSESSID=57d5a2169bd43fd2de288c4f7bcabc21

HTTP/1.1 302 Found
Date: Tue, 20 Sep 2016 16:53:15 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/0.9.8e-fips-rhel5 PHP/5.6.18
X-Powered-By: PHP/5.6.18
Set-Cookie: PHPSESSID=humb6nirgh4bh63oes1pvgavh3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=3d94c08e36e387c6f284944655890634; path=/; HttpOnly
Content-Length: 1503
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: WT_FPC=id=10.9.97.249-237925568.30469917:lv=1446491376542:ss=1446491376542; __utma=235480898.2101344954.1429301107.1446477916.1446491377.4; PHPSESSID=humb6nirgh4bh63oes1pvgavh3; _ga=GA1.2.2101344954.1429301107; PHPSESSID=3d94c08e36e387c6f284944655890634

HTTP/1.1 302 Found
Date: Tue, 20 Sep 2016 16:53:15 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/0.9.8e-fips-rhel5 PHP/5.6.18
X-Powered-By: PHP/5.6.18
Set-Cookie: PHPSESSID=humb6nirgh4bh63oes1pvgavh3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=2d915f41e51159917753dfdd78c9e300; path=/; HttpOnly
Content-Length: 1139
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: WT_FPC=id=10.9.97.249-237925568.30469917:lv=1446491376542:ss=1446491376542; __utma=235480898.2101344954.1429301107.1446477916.1446491377.4; PHPSESSID=humb6nirgh4bh63oes1pvgavh3; _ga=GA1.2.2101344954.1429301107; PHPSESSID=2d915f41e51159917753dfdd78c9e300

HTTP/1.1 302 Found
Date: Tue, 20 Sep 2016 16:53:15 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/0.9.8e-fips-rhel5 PHP/5.6.18
X-Powered-By: PHP/5.6.18
Set-Cookie: PHPSESSID=humb6nirgh4bh63oes1pvgavh3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=37d4b405aedaddce25ce020ab9cae5a2; path=/; HttpOnly
Content-Length: 1503
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

ETC....  (THIS LOOPS UNTIL CHROME QUITS)
===========HTTP TRACE================

===========SIMPLESAMLPHP LOG==============
Sep 20 13:06:49 simplesamlphp DEBUG [5d983c8e27] Session: 'admin' not valid because we are not authenticated.
Sep 20 13:06:49 simplesamlphp DEBUG [5d983c8e27] Session: 'login-admin' not valid because we are not authenticated.
Sep 20 13:06:49 simplesamlphp DEBUG [5d983c8e27] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/frontpage]
Sep 20 13:06:49 simplesamlphp DEBUG [5d983c8e27] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/frontpage]
Sep 20 13:06:51 simplesamlphp DEBUG [7029363b69] Session: 'admin' not valid because we are not authenticated.
Sep 20 13:06:51 simplesamlphp DEBUG [7029363b69] Session: 'login-admin' not valid because we are not authenticated.
Sep 20 13:06:51 simplesamlphp DEBUG [7029363b69] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/frontpage]
Sep 20 13:06:51 simplesamlphp DEBUG [7029363b69] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/frontpage]
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] Session: 'default-sp' not valid because we are not authenticated.
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] Saved state: '_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58'
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] Sending SAML 2 AuthnRequest to 'ABCSSO2.0'
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] Sending message:
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" I
D="_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58" Version="2.0" IssueInstant="2016-09-20T17:06:54Z" Destination="https://sso.obscured.domain.com:9443/idp/SSO.saml2" AssertionConsumerS
erviceURL="https://balloonview.obscured.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]   <saml:Issuer>ABCToBalloonView</saml:Issuer>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]     <ds:SignedInfo>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       <ds:Reference URI="#_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58">
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]         <ds:Transforms>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]         </ds:Transforms>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]         <ds:DigestValue>KDknTddelEonYymkEKdYY7FqaEU=</ds:DigestValue>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       </ds:Reference>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]     </ds:SignedInfo>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]     <ds:SignatureValue>Gian9ysl0yu4fGem8Ii...TRUNCATED...a18krN0fJ/FMjVmOBA==</ds:SignatureValue>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]     <ds:KeyInfo>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       <ds:X509Data>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]         <ds:X509Certificate>MIIG/jCCBeagAwIBAgI...TRUNCATED...Qd2OoZSN5UG5</ds:X509Certificate>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]       </ds:X509Data>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]     </ds:KeyInfo>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]   </ds:Signature>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9]   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
Sep 20 13:06:54 simplesamlphp DEBUG [6947a2f2e9] </samlp:AuthnRequest>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] Loading state: '_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58'
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] SimpleSAML_Error_NoState: NOSTATE
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] Backtrace:
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] 2 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/lib/SimpleSAML/Auth/State.php:263 (SimpleSAML_Auth_State:
:loadState)
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] 1 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/saml/www/sp/saml2-acs.php:78 (require)
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] 0 /infra/app/balloons/local/var/httpd/balloons/simplesamlphp/www/module.php:127 (N/A)
Sep 20 13:06:55 simplesamlphp ERROR [32a626f7be] Error report with id a4e8067f generated.
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/dictionaries/errors]
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] Template: Reading [/infra/app/balloons/local/var/httpd/balloons/simplesamlphp/modules/core/dictionaries/no_state]
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] Received message:
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="c.2ntWUhg8qlEj-ec8HItvz4nJG" IssueInst
ant="2016-09-20T17:06:55.279Z" InResponseTo="_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58" Destination="https://balloonview.obscured.domain.com/simplesaml/module.php/saml/sp/saml2-ac
s.php/default-sp">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ABCSSO2.0</saml:Issuer>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <ds:SignedInfo>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <ds:Reference URI="#c.2ntWUhg8qlEj-ec8HItvz4nJG">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <ds:Transforms>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         </ds:Transforms>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <ds:DigestValue>qSYPHZgGNvZJY7l/Y4wlb9axToglnXcJUR5uToptV94=</ds:DigestValue>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       </ds:Reference>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     </ds:SignedInfo>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <ds:SignatureValue>elHBq6oPYHquRPF...TRUNCATED...ZFhRQTubUqBztFjA==</ds:SignatureValue>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <ds:KeyInfo>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <ds:X509Data>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <ds:X509Certificate>MIIFCzCCA/OgAwIBAgIQbbw9BkJYhhCRoLWu51A9nzANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQG
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] EwJVUzEdMBsGA1UEChMU...TRUNCATED...yWFrP5EqVdtG5QUUiMPKBg1fJOHZ4=</ds:X509Certificate>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       </ds:X509Data>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     </ds:KeyInfo>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   </ds:Signature>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   <samlp:Status>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   </samlp:Status>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="R0wo79VnsDI57XpVv1lOC_yp4Fe" IssueInstant="2016-09-20T17:06:55.289Z" Version="2.0">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <saml:Issuer>ABCSSO2.0</saml:Issuer>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <saml:Subject>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">j...@obscured.domain.com</saml:NameID>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <saml:SubjectConfirmationData Recipient="https://balloonview.obscured.domain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" NotOnOrAfter="2016-09-20T17:11:55.289Z" InResponseTo="_05f9acd04c5641b32c4790e77aab9b30d50bdcfb58"/>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       </saml:SubjectConfirmation>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     </saml:Subject>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <saml:Conditions NotBefore="2016-09-20T17:01:55.289Z" NotOnOrAfter="2016-09-20T17:11:55.289Z">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <saml:AudienceRestriction>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <saml:Audience>ABCToBalloonView</saml:Audience>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       </saml:AudienceRestriction>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     </saml:Conditions>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     <saml:AuthnStatement SessionIndex="R0wo79VnsDI57XpVv1lOC_yp4Fe" AuthnInstant="2016-09-20T17:06:55.289Z">
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <saml:AuthnContext>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       </saml:AuthnContext>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]     </saml:AuthnStatement>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]   </saml:Assertion>
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be] </samlp:Response>
===========SIMPLESAMLPHP LOG==============

Jon August

unread,
Sep 20, 2016, 3:01:27 PM9/20/16
to SimpleSAMLphp
I was able to resolve this by setting this option in my config/config.php:

'session.cookie.domain' => '.domain.com',

Not sure why this was an issue on my production machine, but not my test machine...

Problem solved - thanks for looking.

    Jon
Sep 20 13:06:55 simplesamlphp DEBUG [32a626f7be]       <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">jon@obscured.domain.com</saml:NameID>

Peter Schober

unread,
Sep 20, 2016, 6:53:47 PM9/20/16
to SimpleSAMLphp
* Jon August <jona...@gmail.com> [2016-09-20 21:01]:
> I was able to resolve this by setting this option in my
> config/config.php:
>
> 'session.cookie.domain' => '.domain.com',

This shoudn't be needed for an ordinary deployment of an SSP instance
(e.g. one that's not participating in another, custom SSO "protocol"
based on a shared/common DNS domain).
Changing this as above also has security implications as now every web
server in that shared DNS domain will have access to the cookie (if
visited), even though only a single host/FQDN should need to.
I.e., the fact that this "fixes" your deployment is another indicator
that something is off.
-peter

Jon August

unread,
Sep 20, 2016, 9:57:50 PM9/20/16
to SimpleSAMLphp, peter....@univie.ac.at
That IS troubling.  Do you have any suggestions where I should be checking given the logs and trace I provided?

The actual hostname for the machine is different than the hostname being used by this instance, but the trace seems to show the correct hostname for the cookies...

Jon August

unread,
Sep 20, 2016, 10:22:10 PM9/20/16
to SimpleSAMLphp, peter....@univie.ac.at
Strange.  I changed it back to null and it still works.  Perhaps there was a persistent cookie that was causing problems.

Jaime Perez Crespo

unread,
Sep 21, 2016, 4:15:46 AM9/21/16
to simple...@googlegroups.com
Hi Jon,

On 21 Sep 2016, at 05:22 AM, Jon August <jona...@gmail.com> wrote:
> Strange. I changed it back to null and it still works. Perhaps there was a persistent cookie that was causing problems.

You are having trouble with your session. Apparently you are using the PHP session handler in SimpleSAMLphp, and probably you use it too in your application. You can notice this in both the HTTP trace and the logs. In the SimpleSAMLphp log, the track ID (the 10 character length, hex-encoded pseudo-random number after the log level) is changing every time, while it should be the same along the entire session. In the HTTP trace, you can see the PHPSESSID cookie being set twice by many responses (to different values, of course).

You cannot have the application smash the SimpleSAMLphp session (or the other way around). So either don’t use PHP sessions in SimpleSAMLphp, or fix your configuration so that at least your session cookies are not named the same for both the application and SSP.
Reply all
Reply to author
Forward
0 new messages