infinite auth loop on acquia with simplesamlphp and drupal
268 views
Skip to first unread message
therevi...@gmail.com
Sep 17, 2018, 5:57:44 PM9/17/18
to SimpleSAMLphp
I have been trying to upgrade our simplesaml 1.10 (yes I know) and I am facing an odd behavior on acquia with simplesaml (tried versions 1.14 to 1.16)
On my local machine using MAMP I get simplesaml to work just fine:
a) I can log in, by clicking log in (on my drupal site), and get the correct auth from my shib server
b) I can go to site/simplesaml and authenticate there
However the min the code is deployed to acquia (we have a multi domain) things are funky. I can still go to site/simplesaml and auth there as part of testing and I can access the metadata, but if I click login my site goes to an infinite loop of authentication, every time I get another session and being redirected to yet another authentication
I tried compering my config file with other sites (we similar configurations)
I tried deleting the tmp/sqlite sessions file
I tried storing the sessions in the drupal DB
I am seeing this in the log, but it makes no sense to me (removed some sensitive information):
response as unsolicited.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Received SAML2 Response from 'https://shibidp-test/idp/shibboleth'.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Has 1 candidate keys for validation.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Validation with key #0 succeeded.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Has 1 candidate keys for validation.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Validation with key #0 failed without exception.
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Session: doLogin("SP")
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Session: doLogout('SP')
Sep 14 20:33:37 simplesamlphp DEBUG [f08ad225bc] Session: 'SP' not valid because we are not authenticated.
Sep 14 20:33:37 simplesamlphp WARNING [f08ad225bc] The class or interface 'SimpleSAML_Logger' is now using
I've been down this rabbit hole for months, so any help would be appriciated
Nate Klingenstein
Sep 17, 2018, 6:15:42 PM9/17/18
to SimpleSAMLphp
Infinite login loops like that almost always result from cookie issues. The session cookie that is being set by simpleSAMLphp upon authentication needs to be sent in subsequent requests by the client. If there is no cookie sent, then the loop continues.
Cookies are bound by domain and you mention that this is a multi-domain situation when you deploy to Acquia, so you'll need to find a way to get the cookie domain to match the protected resource or some other mechanism to convey the information there. Without knowing more about the full workflow, it's hard to give any more advice.
the review board
Sep 17, 2018, 6:18:24 PM9/17/18
to simple...@googlegroups.com
In this case
A why is 1.10 still working?
B is there a way to disable these cookies for testing?
C where are the session cookies are stored?
D our workflow, each site has metadata that is registered with the shib service and is working totally fine with the 1.10 configuration
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/lso_kCrWOvo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
____________________
Ido Efrati
The Review Board: Brings your game to life.
the review board
Sep 17, 2018, 7:09:54 PM9/17/18
to simple...@googlegroups.com
Also regarding your workflow comment, what additional information can I share for additional advice?
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/lso_kCrWOvo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nate Klingenstein
Sep 18, 2018, 12:08:14 PM9/18/18
to simple...@googlegroups.com
The cookie is how simpleSAMLphp associates a web browser with a session. The cookie is stored in the web browser.
Your best tool will be an HTTP trace that can show the requests sent by the browser and whether they include the cookie, and inspecting the cookie's contents, specifically the path, domain, and Secure or HttpOnly flags.
I would compare the cookie that is being set and sent in your working edition to the cookie that is being set and apparently not sent by the broken version.
It's possible for the cookie to be set successfully, sent, and received by simpleSAMLphp, but for no corresponding session to be found in whatever session storage mechanism you choose.
But, I consider that to be extremely unlikely in this situation since it's uncommon to begin with and it's working fine on your MAMP development machine.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--____________________Ido EfratiThe Review Board: Brings your game to life.
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
therevi...@gmail.com
Sep 19, 2018, 8:33:15 PM9/19/18
to SimpleSAMLphp
I used the http Trace and cannot see anything out of the ordinary
I removed some identifying information and some long STRING for tokens and such to make it more readable and also to remove any information since I am posting on a public page
RelayState: SITE/saml_login/
SAMLResponse: VERY LONG String
Origin: SIBH SERVER URL
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: NO_CACHE=1; nmstat=1522956725289; _ceir=1; cuwl2famethod="DUO"; hubspotutk=9cd91e32f1db598806c2a297b7ba95fe; _ceg.s=pd6266; _ceg.u=pd6266; _ga=GA1.2.1183118287.1536335791; __hssrc=1; has_js=1; visitor_id95472=89955514; visitor_id95472-hash=7e122fbe08ec35c961be42e455d86bf082b4f30a55dcb92e4f49226360721f8fa6e722c67d380ca6e4b141c2e94087d496d63fda; optimizelyEndUserId=oeu1537380348603r0.2183248286316295; optimizelySegments=%7B%22757067938%22%3A%22direct%22%2C%22778703350%22%3A%22false%22%2C%22781081607%22%3A%22gc%22%2C%22949601412%22%3A%22none%22%7D; optimizelyBuckets=%7B%7D; mp_fe42a3507c097e9a9d1e9f881d833cfb_mixpanel=%7B%22distinct_id%22%3A%20%22165f302760bf68-0acd7e899bdee3-1130685d-13c680-165f302760cbc0%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; cuwltgttime="1537420098"; SESS1a31273c442c48fb2b8785303d79f5c6=HbH2T0Uu2qe-31xdDhIiAgnKbhDZ00yCE-rD9qongdI; SSESS1a31273c442c48fb2b8785303d79f5c6=b4aS-thryRTQMfnSkXCvIhcWOMEk4V0eQ_35v8uebEQ; __hstc=161696355.9cd91e32f1db598806c2a297b7ba95fe.1533738603244.1537396451310.1537402672461.31; __hssc=161696355.4.1537402672461; SimpleSAMLSessionID=d9992e9693bd7653739bb2a0a2672b05; SimpleSAMLAuthToken=_bfde9b8f2ce8ddc698a8f36ddbf6d0a647aa7ed3ff
HTTP/1.1 303 See Other
Redirect to: https://SITE/saml_login/
Age: 0
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 20 Sep 2018 00:23:25 GMT
Location: https://SITE/saml_login/
Pragma: no-cache
Server: nginx
Set-Cookie: NO_CACHE=1
Set-Cookie: NO_CACHE=1
Set-Cookie: SimpleSAMLAuthToken=_SOMESTRING; path=/; HttpOnly
Via: 1.1 varnish (Varnish/5.2)
X-AH-Environment: test
X-Cache: MISS
X-Request-ID: v-638f3e26-bc6b-11e8-b445-22000ab98c38
X-Varnish: 119027767
Content-Length: 5589
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: simplesamlphp_auth_returnto=https://SITEURL/; nmstat=1522956725289; _ceir=1; cuwl2famethod="DUO"; hubspotutk=9cd91e32f1db598806c2a297b7ba95fe; _ceg.s=pd6266; _ceg.u=pd6266; _ga=GA1.2.1183118287.1536335791; __hssrc=1; has_js=1; visitor_id95472=89955514; visitor_id95472-hash=7e122fbe08ec35c961be42e455d86bf082b4f30a55dcb92e4f49226360721f8fa6e722c67d380ca6e4b141c2e94087d496d63fda; optimizelyEndUserId=oeu1537380348603r0.2183248286316295; optimizelySegments=%7B%22757067938%22%3A%22direct%22%2C%22778703350%22%3A%22false%22%2C%22781081607%22%3A%22gc%22%2C%22949601412%22%3A%22none%22%7D; optimizelyBuckets=%7B%7D; mp_fe42a3507c097e9a9d1e9f881d833cfb_mixpanel=%7B%22distinct_id%22%3A%20%22165f302760bf68-0acd7e899bdee3-1130685d-13c680-165f302760cbc0%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; cuwltgttime="1537420098"; SESS1a31273c442c48fb2b8785303d79f5c6=HbH2T0Uu2qe-31xdDhIiAgnKbhDZ00yCE-rD9qongdI; SSESS1a31273c442c48fb2b8785303d79f5c6=b4aS-thryRTQMfnSkXCvIhcWOMEk4V0eQ_35v8uebEQ; __hstc=161696355.9cd91e32f1db598806c2a297b7ba95fe.1533738603244.1537396451310.1537402672461.31; __hssc=161696355.4.1537402672461; SimpleSAMLSessionID=d9992e9693bd7653739bb2a0a2672b05; SimpleSAMLAuthToken=Same _SOMESTRING as the auth token above
HTTP/1.1 302 Found
Age: 0
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 20 Sep 2018 00:23:25 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Location: https://SHIBSERVER/idp/profile/SAML2/Redirect/SSO?SAMLRequest=STRING&RelayState=https%3A%2F%2F SITE URL%2Fsaml_login%2F
Pragma: no-cache
Server: nginx
Via: 1.1 varnish (Varnish/5.2)
X-AH-Environment: test
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Drupal-Cache: MISS
X-Request-ID: v-639b7d58-bc6b-11e8-8fbf-22000ab98c38
X-Varnish: 119115409
Content-Length: 6795
Connection: keep-alive
GET https://SHIB URL/idp/profile/SAML2/Redirect/SSO?SAMLRequest=STRING&RelayState=https%3A%2F%2F SITE URL %2Fsaml_login%2F
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://SHIB SERVER URL/idp/profile/SAML2/Redirect/SSO?SAMLRequest=STRING&RelayState=https%3A%2F%2F SITE URL%2Fsaml_login%2F
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: JSESSIONID=; shib_idp_session=STRING%; cuwl2famethod="DUO"; hubspotutk=9cd91e32f1db598806c2a297b7ba95fe; _ga=GA1.2.1183118287.1536335791; __hssrc=1; AWSELB=E3B1DB3D140C782A1E4558531E90AA2168374C91CDD0185A2B1302C2DB1CA017CE0BFC6900ECBEAC8897CE1DBE9F79AAC597039E40A48A7433019626561231BB0F810ED5EC; optimizelyEndUserId=oeu1537380348603r0.2183248286316295; optimizelySegments=%7B%22757067938%22%3A%22direct%22%2C%22778703350%22%3A%22false%22%2C%22781081607%22%3A%22gc%22%2C%22949601412%22%3A%22none%22%7D; optimizelyBuckets=%7B%7D; mp_fe42a3507c097e9a9d1e9f881d833cfb_mixpanel=%7B%22distinct_id%22%3A%20%22165f302760bf68-0acd7e899bdee3-1130685d-13c680-165f302760cbc0%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; CUWALastWeblogin=1; cuwltgttime="1537420098"; cuweblogin2=WAAAFDMAAQ3HDOA0Jg+z/QZbM48+VyWg==; __hstc=161696355.9cd91e32f1db598806c2a297b7ba95fe.1533738603244.1537396451310.1537402672461.31; __hssc=161696355.4.1537402672461
HTTP/1.1 200 200
Cache-Control: no-cache, no-store
Content-Type: text/html;charset=UTF-8
Date: Thu, 20 Sep 2018 00:23:26 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: shib_idp_session_ss=STRING%3D;path=/idp;HttpOnly
Strict-Transport-Security: max-age=31536000;includeSubDomains
transfer-encoding: chunked
Connection: keep-alive
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--____________________Ido EfratiThe Review Board: Brings your game to life.
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
Nate Klingenstein
Sep 20, 2018, 1:30:26 PM9/20/18
to simple...@googlegroups.com
I don't see anything immediately wrong in the trace(beyond the looping), so maybe session lookup is failing at the SP, or maybe the application is requesting authentication again for some reason, or maybe the IdP is sending different attributes to the hosted version -- there are a lot of possibilities. I'd carefully examine differences in the SSP logs in your MAMP edition and the Acquia edition next, I guess.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
the review board
Sep 20, 2018, 1:33:43 PM9/20/18
to simple...@googlegroups.com
Didn't seen anything in the logs besides the stuff I already shared
The IDP claims to send the correct stuff per their testing.
Since I am able to go to site/simplesaml and authenticate there against the SP, I think that means the the configuration is correct and that it is only happening on acquia
are there any other logs I can check? I am lost :\
Anil Mamidi
Oct 3, 2018, 10:53:44 AM10/3/18
to SimpleSAMLphp
Mostly issue with the session cookie, Please make sure to maintain unique session attributes for each environment.
Reply all
Reply to author
Forward
0 new messages