idP intermittent state resume issue
60 views
Skip to first unread message
huwi...@champlain.edu
Nov 21, 2024, 11:24:23 AM11/21/24
to SimpleSAMLphp
Hello SimpleSAMLphp group,
I'm having a weird issue with my custom idP module. Ever since upgrading to v2 (running 2.1.1 and in the process of upgrading to 2.3.2), SSP fails to sign in 0.006% of the time. I've been unable to isolate the problem, so any ideas would be much appreciated.
More info:
The resume code in /modules/canvas/src/Auth/Source/External.php looks like this:
$state = Auth\State::loadState($_REQUEST['State'], 'canvas:External', true);
$source = $state ? Auth\Source::getById($state['canvas:AuthID']) : null;
if ($source === null) {
header('Location: https://<our server>/samlstateerror');
exit;
}
Over the past 1,500,000 sign-ins, 86 have ended up on this samlstateerror page. To make matters worse, signing out + destroying PHP sessions doesn't fix the problem. The problem will repeat for these users until they attempt to sign-in on a different device.
On the authentication page side, we use the SP SDK to authenticate to Google, merge sessions and redirect back to the idP:
if (session_status() === PHP_SESSION_NONE) session_start();
$as = new \SimpleSAML\Auth\Simple('champlain-sp');
$as->requireAuth();
...
SimpleSAML\Session::getSessionFromRequest()->cleanup();
redirect to idP using returnTo param saved in session
More info:
The resume code in /modules/canvas/src/Auth/Source/External.php looks like this:
$state = Auth\State::loadState($_REQUEST['State'], 'canvas:External', true);
$source = $state ? Auth\Source::getById($state['canvas:AuthID']) : null;
if ($source === null) {
header('Location: https://<our server>/samlstateerror');
exit;
}
Over the past 1,500,000 sign-ins, 86 have ended up on this samlstateerror page. To make matters worse, signing out + destroying PHP sessions doesn't fix the problem. The problem will repeat for these users until they attempt to sign-in on a different device.
On the authentication page side, we use the SP SDK to authenticate to Google, merge sessions and redirect back to the idP:
if (session_status() === PHP_SESSION_NONE) session_start();
$as = new \SimpleSAML\Auth\Simple('champlain-sp');
$as->requireAuth();
...
SimpleSAML\Session::getSessionFromRequest()->cleanup();
redirect to idP using returnTo param saved in session
Again, thank you in advance for any ideas!
Matt
huwi...@champlain.edu
Nov 22, 2024, 12:55:18 PM11/22/24
to SimpleSAMLphp
In case it helps, I was able to capture the SimpleSamlPHP session info from an affected user. This is all that exists in $_SESSION for these users.
[SimpleSAMLphp_SESSION] => O:18:"SimpleSAML\Session":10:{s:9:"sessionId";s:26:"golj1danppdtajvattvj784309";s:9:"transient";b:0;s:7:"trackid";s:10:"09f784879d";s:16:"rememberMeExpire";N;s:5:"dirty";b:0;s:19:"callback_registered";b:0;s:9:"dataStore";a:0:{}s:12:"associations";a:0:{}s:9:"authToken";N;s:8:"authData";a:0:{}}
[SimpleSAMLphp_SESSION] => O:18:"SimpleSAML\Session":10:{s:9:"sessionId";s:26:"golj1danppdtajvattvj784309";s:9:"transient";b:0;s:7:"trackid";s:10:"09f784879d";s:16:"rememberMeExpire";N;s:5:"dirty";b:0;s:19:"callback_registered";b:0;s:9:"dataStore";a:0:{}s:12:"associations";a:0:{}s:9:"authToken";N;s:8:"authData";a:0:{}}
huwi...@champlain.edu
Dec 12, 2024, 3:19:20 PM12/12/24
to SimpleSAMLphp
FYI in case someone else runs into this. The intermittent state resume bug was fixed by changing ...
$state = Auth\State::loadState($_REQUEST['State'], 'canvas:External', true);
... to ...
$state = Auth\State::loadState($_REQUEST['State'], 'canvas:External');
Before this change, I tried playing with session.* settings and separating our sp and idp installations using distinct session.cookie.name values. These changes only seemed to exacerbate the issue. Removing the true as the loadState third argument was finally what seems to have fixed the problem.
Reply all
Reply to author
Forward
0 new messages