Announcement Announcement Module
Collapse
No announcement yet.
Customized name for the sessionid cookie Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Customized name for the sessionid cookie

    Hi!

    We are using Spring Security SAML 1.0.0.RC2 and opensaml 2.6.1 in an application running with on jboss with two instances of the application.

    When we set a customized name for the sessionid cookie in web.xml we get the following stacktrace after authentication:

    org.opensaml.common.SAMLException: InResponseToField doesn't correspond to sent message
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.processAuthenticationResponse(Web SSOProfileConsumerImpl.java:132)
    at org.springframework.security.saml.SAMLAuthenticati onProvider.authenticate(SAMLAuthenticationProvider .java:81)
    at org.springframework.security.authentication.Provid erManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFi lter.attemptAuthentication(SAMLProcessingFilter.ja va:84)
    at no.uio.webapps.minestudier.security.saml.LoggingSA MLProcessingFilter.attemptAuthentication(LoggingSA MLProcessingFilter.java:32)
    at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.


    Is it possible to use a customized name for the sessionid cookie when running two instances of the application?


    -Kaj

  • #2
    Hi!

    This is not a spring-security-saml2-core issue, but a mod_cluster issue, ref https://issues.jboss.org/browse/AS7-4424 and https://access.redhat.com/site/solutions/722053

    The problem was the session wasn't sticky.

    Btw: We also encountered an issue with apache 2.4 and mod_cluster which also made the sessions non-sticky. After downgrading to apache 2.2 our sessions are sticky again.


    -Kaj

    Comment

    Working...
    X