By: Lindsay Weir user 27 Jul 2022 at 8:56 p.m. CDT

14 Responses
Lindsay Weir gravatar
Setting up Trust Relationship and have imported SP Metadata File and the configuration has been validated and is currently active. If I click "Download Shibboleth3 configuration files" it downloads a file "shibboleth3-configuration.zip" 1.5MB in size but it cannot be unzipped. In /opt/gluu/jetty/identity/logs/oxtrust.log we can see the following: 2022-07-28 01:00:54,273 ERROR [qtp1364913072-615] [org.gluu.jsf2.io.ResponseHelper] (ResponseHelper.java:110) - Failed to add file 783d238f-80ff-4ae5-88aa-278fdc91aa7b-sp-meta data.crt to zip archive 2022-07-28 01:00:54,273 ERROR [qtp1364913072-615] [org.gluu.oxtrust.action.UpdateTrustRelationshipAction] (UpdateTrustRelationshipAction.java:851) - Failed to add /opt/shibbol eth-idp/ssl/783d238f-80ff-4ae5-88aa-278fdc91aa7b-sp-metadata.crt to zip

By Lindsay Weir user 27 Jul 2022 at 9:01 p.m. CDT

Lindsay Weir gravatar
[root@idp-dev shibboleth-idp]# pwd /opt/shibboleth-idp [root@idp-dev shibboleth-idp]# [root@idp-dev shibboleth-idp]# ls bin conf credentials doc flows lib LICENSE.txt logs messages metadata sp system temp_metadata views webapp There does not appear to be an 'ssl' directory

By Mohib Zico staff 27 Jul 2022 at 9:27 p.m. CDT

Mohib Zico gravatar
"Download Shibboleth3 configuration files" feature is obsolete and will be deleted from Gluu very soon. Why you need those files anyway?

By Lindsay Weir user 27 Jul 2022 at 11:01 p.m. CDT

Lindsay Weir gravatar
The idp-metadata.xml file is used to load back into the Tableau configuration to complete the trust relationship.

By Mohib Zico staff 27 Jul 2022 at 11:03 p.m. CDT

Mohib Zico gravatar
IDP's metadata is not inside that zip file. You can load your IDP's metadata from `https://<Gluu_server>/idp/shibboleth` OR from file system: `~inside_container/opt/shibboleth-idp/metadata`.

By Lindsay Weir user 27 Jul 2022 at 11:09 p.m. CDT

Lindsay Weir gravatar
Under Gluu 3.X we used to have the following in the .zip file: shibboleth3-configuration % ls README_SP.pdf README_SP_windows.pdf attribute-map.xml idp-metadata.xml shibboleth2.xml sp-metadata.xml You can see the idp-metadata.xml file. Let me look to see you two suggestions to retrieving the metadata. As long as I can retrieve it, I will be happy either way. Thanks

By Lindsay Weir user 29 Jul 2022 at 8:02 a.m. CDT

Lindsay Weir gravatar
I was able to download the file from the server and import it. Now, I get a 500 error and the following in the logs: ``` ==> idp-process.log <== 2022-07-29 01:35:27,463 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) ``` ``` ==> idp-warn.log <== 2022-07-29 01:35:27,463 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getLock(AbstractFlowExecutionRepository.java:125) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) at org.springframework.webflow.conversation.impl.SessionBindingConversationManager.getConversation(SessionBindingConversationManager.java:117) ```

By Mohib Zico staff 29 Jul 2022 at 11:40 a.m. CDT

Mohib Zico gravatar
``` NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. ``` That might depends on lot of things: - What type of Gluu Server you are using. Is it clustered? Is it k8s? Is it just CE? Any type of load balancer infront of it? Any proxy server involved? - What type of oxAuth authentication method you are using? "Manage Authentication" section of Gluu Server. - Can your Gluu Server has full access ( network access ) to SP and vice versa?

By Lindsay Weir user 29 Jul 2022 at 2:44 p.m. CDT

Lindsay Weir gravatar
It is a standalone Gluu 4.4.0 installation on CentOS 7.8 (Community Edition) No load balancer in front of the Gluu server or proxy. oxTrust authentication mode: simple_password_auth (which is the default) I have the Authentication mode: set to my custom script that we were using under 3.X but updated the library names. Yes, both the Gluu server and SP are on the same network and have full network protocol access between nodes.

By Mohib Zico staff 29 Jul 2022 at 9:50 p.m. CDT

Mohib Zico gravatar
>> I have the Authentication mode: set to my custom script that we were using under 3.X but updated the library names. Change it to default "simple_password_auth", see if anything changes or not. If that doesn't change, check for any indication in idp-process.log and oxauth.log. You can make them DEBUG if you want.

By Lindsay Weir user 30 Jul 2022 at 9:01 a.m. CDT

Lindsay Weir gravatar
Changed it to default "simple_password_auth" This failed as well: oxauth.log: Caused by: org.gluu.persist.exception.operation.SearchException: Failed to lookup entry by DN: 'oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu' at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.lookupImpl(LdapOperationServiceImpl.java:629) ~[gluu-orm-ldap-4.4.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.lookup(LdapOperationServiceImpl.java:605) ~[gluu-orm-ldap-4.4.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.find(LdapEntryManager.java:399) ~[gluu-orm-ldap-4.4.0.Final.jar:?] ... 93 more 2022-07-30 13:41:37,176 ERROR [qtp934275857-67] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:793) - Failed to get session by dn: oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu org.gluu.persist.exception.EntryPersistenceException: Failed to find entry: oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu idp-process.log: 2022-07-30 13:42:40,199 - 10.92.81.74 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91] - org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s1' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows. at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172) Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended? at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126) How do I set it to DEBUG mode?

By Lindsay Weir user 30 Jul 2022 at 9:50 a.m. CDT

Lindsay Weir gravatar
I turned on DEBUG and emailed you the two logs.

By Lindsay Weir user 01 Aug 2022 at 10:16 a.m. CDT

Lindsay Weir gravatar
Were you able to see anything from the DEBUG logs provided?

By Mohib Zico staff 14 Aug 2022 at 9:33 p.m. CDT

Mohib Zico gravatar
Hi, I checked your log and two things interesting .... 1. ``` Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/oxAuth ``` Question: What kind of authentication flow this SP want? Is it IDP-initiated Single Sign On? 2. ``` Failed to lookup entry by DN: 'oxId=8d2cf515-6e32-4072-9dbd-6d0a14b5a34e,ou=sessions,o=gluu' ``` This SP certainly depending on old session to login. Which shouldn't be the normal flow. Can you please share a full recorded screencast?

By Lindsay Weir user 17 Aug 2022 at 6:45 a.m. CDT

Lindsay Weir gravatar
How do you want a screencast recorded? Do you have something to do the recording you need? This is Tableau initiated – user connects to Tableau, and that is redirected to Gluu IDP. For this scenario, I am just using the same simple_password_auth (to eliminate any issues with my own script). If I hit my URL endpoint for Tableau: https://analytics-dev.work.local/access/ I have included all the log outputs from the logs in /opt/shibboleth-idp/logs directory (shibboleth.log). I also included the output from Chrome for the session – More Tools -> Developer -> Network and the output was exported as analytics-dev.work.local.har. This can be loaded into Chrome in the Developer->Network screen: Click on the up arrow on the right hand side under the ‘y’ in Memory above. I have provided Zico the images and log files associated with this since I can't attach to the ticket.