ACSPARAMS intermittent issue in Internet Explorer

601 views
Skip to first unread message

David Alexander

unread,
Aug 29, 2017, 1:56:08 AM8/29/17
to SimpleSAMLphp

Hi,

I'm running into an intermittent error in Internet Explorer with a SimpleSAMLphp 1.14.14 Service Provider.  I included the simplesamlphp.log file entry below.

In the environment where I am seeing this error, there are limitations on capturing a SAML or Fiddler trace, so I do not have detailed debugging for what happens immediately before the GET request to the ACS URL.  

This error only seems to be occurring in Internet Explorer, and unfortunately for this application, IE support is a requirement.

This is the closest bug report to what I am seeing https://stackoverflow.com/questions/36655953/simplesamlphp-ssp-random-errors-how-to-change-backend-store, but in this case the SP app is very simple and is not creating a session.

Is anyone else seeing this issue?  Are there any recommended debugging steps?

Thanks,
Dave


Aug 28 18:02:36 simplesamlphp DEBUG [96ce375006] Template: Reading [/var/simplesamlphp/dictionaries/errors]

Aug 28 18:02:36 simplesamlphp WARNING [96ce375006] Unable to find the SAML 2 binding used for this request.array (

)

Aug 28 18:02:36 simplesamlphp WARNING [96ce375006] Request method: 'GET'array (

)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] SimpleSAML_Error_Error: ACSPARAMS

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] Backtrace:

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:31 (require)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] 0 /var/simplesamlphp/www/module.php:137 (N/A)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] Caused by: Exception: Unable to find the current binding.

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] Backtrace:

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] 2 /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:16 (require)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] 0 /var/simplesamlphp/www/module.php:137 (N/A)

Aug 28 18:02:36 simplesamlphp ERROR [96ce375006] Error report with id fcd352c9 generated.

Peter Schober

unread,
Aug 30, 2017, 6:56:13 AM8/30/17
to SimpleSAMLphp
* David Alexander <idminte...@gmail.com> [2017-08-29 07:56]:
> In the environment where I am seeing this error, there are limitations on
> capturing a SAML or Fiddler trace, so I do not have detailed debugging for
> what happens immediately before the GET request to the ACS URL.
[...]
> Aug 28 18:02:36 simplesamlphp WARNING [96ce375006] Unable to find the SAML
> 2 binding used for this request.array (
>
> )
>
> Aug 28 18:02:36 simplesamlphp WARNING [96ce375006] Request method:
> 'GET'array (
>
> )

Looking at the code in
./vendor/simplesamlphp/saml2/src/SAML2/Binding.php and
./modules/saml/www/sp/saml2-acs.php it seems that that last log line
should contain any HTTP GET or HTTP POST parameters, which is where
recieved SAML protocol messages would be found.

Obviously there's no message there, hence SSP cannot continue.
(The error message may be a bit misleading.)

So it seems something prevents the web browser from sending the SAML
protocol messages correctly to the SP.

Since you mention MS-IE and "intermittent" is there any pattern to
those errors? E.g. it's known that (at least at some point) when
clicking on URLs embedded in MS-Office documents there's an "internal"
browser started with the URL, and only later is control passed on to
the proper MS-IE running on that machine (or something like that; I
don't have any M$ systems to test with). So URLs from MS-Office
documents would be one red flag here.

Either way, all SSP sees is a broken/incomplete request, there's
nothing SSP can do about it.

-peter

David Alexander

unread,
Sep 1, 2017, 11:33:45 AM9/1/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,

Thanks for the reply.  We were able to capture a Fiddler trace of this issue.  It's a bit hard to scrub the data to be able to post it to the list, but the feedback I am receiving is that it is an issue with not having must-revalidate cache settings. 

The question is whether it is sufficient to have those settings in the script triggering the SP or if it is something that needs to be set for SimpleSAMLphp itself.  We are doing some testing now with the "no cache" settings just in the SP script.

I am also curious if using an alternative sessions store like memcache might help.

From the data I have, it's not completely clear that this is an issue with SimpleSAMLphp.  The issue happens intermittently and only seems to happen in the Internet Explorer browser.  Either the browser or IdP (FIM) is getting confused and sending the GET request, but I'm curious if there are any possible solutions on the SimpleSAMLphp side.

Dave

Jaime Perez Crespo

unread,
Sep 1, 2017, 11:40:16 AM9/1/17
to simple...@googlegroups.com
Hi David,

Your feedback is highly appreciated. We’ve been observing errors like this (or similar) for a long time, without a clue on what could be triggering them. Now it looks like you are on track to find a possible reason, likely due to a bug in IE. In any case, please keep us posted with any findings or possible remediations, just in case there’s something we can do in SimpleSAMLphp to avoid it.
--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Reply all
Reply to author
Forward
0 new messages