First Last Prev Next    This bug is not in your last search results.
Bug 39727 - Single sign-on failover has long timeouts if a server is not reachable
Single sign-on failover has long timeouts if a server is not reachable
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-03 13:42 CET by Erik Damrose
Modified: 2019-01-03 07:18 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2015-11-03 13:42:14 CET 
I tested various failover scenarios at Bug #39399. If a IdP server is not reachable, the single sign-on has very long timeouts (usually longer than 30 seconds). This is a bad user experience. Internal timeouts could be lowered, or session information could not be replicated to unavailable servers.


= Scenario 1: SSO Session on Master:
=> If i shutdown the master, Login to backup UMC via SSO takes a very long time. Note the ~36 second gap in the syslog:

= Scenario 2:
SSO Session on master + backup (i.e.: login to both with sso)
shutdown master
new browser window to backup.ucs.local/umc: 
=> UMC Login dialog,  30 seconds 'load animation' in chromium tabbar, then umc login textfields show. Interestingly, the syslog shows a UMC saml login, but i never get redirected to the UMC itself. If i click on SSO Login, i get logged in after waiting for an additional 15 seconds.

== Scenario 3:
- shutdown master
- try sso on backup
=> more than 10 seconds until ucs-sso page loads;  Errors in syslog while trying to contact memcache on master; After entering credentials: Browser hangs for more than 30 seconds (while trying to contact memcache server on master, with php syslog tracebacks)

= Scenario 1 syslog:
Nov  2 16:59:13 backup univention-saml-stunnel: LOG3[14]: s_connect: connect 10.200.29.50:11212: No route to host (113)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] Backtrace:
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 9 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 8 [builtin] (MemcachePool::get)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:215 (SimpleSAML_Auth_State::loadState)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:24 (require)
Nov  2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 0 /usr/share/simplesamlphp/www/module.php:134 (N/A)
Nov  2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] User 'Administrator' has been successfully authenticated.
Nov  2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] saml20-idp-SSO-first https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Nov  2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] saml20-idp-SSO https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Nov  2 16:59:49 backup python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.ucs.local.xml"
Nov  2 16:59:49 backup python2.7: SAML assertion issuer is https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php
Nov  2 16:59:49 backup python2.7: SAML assertion audience https://backup.ucs.local/univention-management-console/saml/metadata
Nov  2 16:59:49 backup python2.7: SAML assertion condition NotBefore = 1446479923 (2015-11-02T15:58:43Z)
Nov  2 16:59:49 backup python2.7: SAML assertion condition NotOnOrAfter = 1446480253 (2015-11-02T16:04:13Z)
Nov  2 16:59:49 backup python2.7: SAML assertion AuthnStatement AuthnInstant = 1446479953
Nov  2 16:59:49 backup python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1446508753
Nov  2 16:59:49 backup python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1

= Scenario 2 syslog
Nov  2 17:17:01 backup /USR/SBIN/CRON[4446]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Nov  2 17:17:23 backup univention-saml-stunnel: LOG3[7]: s_connect: connect 10.200.29.50:11212: No route to host (113)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] Backtrace:
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 11 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 10 [builtin] (MemcachePool::get)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:50 (SimpleSAML_Auth_Simple::isAuthenticated)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:249 (SimpleSAML_IdP::isAuthenticated)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:382 (SimpleSAML_IdP::handleAuthenticationRequest)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Nov  2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:18 (N/A)
Nov  2 17:17:23 backup simplesamlphp[4449]: 5 STAT [51a1e804ad] saml20-idp-SSO https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Nov  2 17:17:59 backup python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.ucs.local.xml"
Nov  2 17:17:59 backup python2.7: SAML assertion issuer is https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php
Nov  2 17:17:59 backup python2.7: SAML assertion audience https://backup.ucs.local/univention-management-console/saml/metadata
Nov  2 17:17:59 backup python2.7: SAML assertion condition NotBefore = 1446481013 (2015-11-02T16:16:53Z)
Nov  2 17:17:59 backup python2.7: SAML assertion condition NotOnOrAfter = 1446481343 (2015-11-02T16:22:23Z)
Nov  2 17:17:59 backup python2.7: SAML assertion AuthnStatement AuthnInstant = 1446480664
Nov  2 17:17:59 backup python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1446509843
Nov  2 17:17:59 backup python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1
Comment 1 Stefan Gohmann univentionstaff 2019-01-03 07:18:58 CET 
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.