Univention Bugzilla – Bug 39727
Single sign-on failover has long timeouts if a server is not reachable
Last modified: 2019-01-03 07:18:58 CET
I tested various failover scenarios at Bug #39399. If a IdP server is not reachable, the single sign-on has very long timeouts (usually longer than 30 seconds). This is a bad user experience. Internal timeouts could be lowered, or session information could not be replicated to unavailable servers. = Scenario 1: SSO Session on Master: => If i shutdown the master, Login to backup UMC via SSO takes a very long time. Note the ~36 second gap in the syslog: = Scenario 2: SSO Session on master + backup (i.e.: login to both with sso) shutdown master new browser window to backup.ucs.local/umc: => UMC Login dialog, 30 seconds 'load animation' in chromium tabbar, then umc login textfields show. Interestingly, the syslog shows a UMC saml login, but i never get redirected to the UMC itself. If i click on SSO Login, i get logged in after waiting for an additional 15 seconds. == Scenario 3: - shutdown master - try sso on backup => more than 10 seconds until ucs-sso page loads; Errors in syslog while trying to contact memcache on master; After entering credentials: Browser hangs for more than 30 seconds (while trying to contact memcache server on master, with php syslog tracebacks) = Scenario 1 syslog: Nov 2 16:59:13 backup univention-saml-stunnel: LOG3[14]: s_connect: connect 10.200.29.50:11212: No route to host (113) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] Backtrace: Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 9 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 8 [builtin] (MemcachePool::get) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:215 (SimpleSAML_Auth_State::loadState) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:24 (require) Nov 2 16:59:13 backup simplesamlphp[5177]: 3 [d3b81b0048] 0 /usr/share/simplesamlphp/www/module.php:134 (N/A) Nov 2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] User 'Administrator' has been successfully authenticated. Nov 2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] saml20-idp-SSO-first https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Nov 2 16:59:13 backup simplesamlphp[5177]: 5 STAT [d3b81b0048] saml20-idp-SSO https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Nov 2 16:59:49 backup python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.ucs.local.xml" Nov 2 16:59:49 backup python2.7: SAML assertion issuer is https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php Nov 2 16:59:49 backup python2.7: SAML assertion audience https://backup.ucs.local/univention-management-console/saml/metadata Nov 2 16:59:49 backup python2.7: SAML assertion condition NotBefore = 1446479923 (2015-11-02T15:58:43Z) Nov 2 16:59:49 backup python2.7: SAML assertion condition NotOnOrAfter = 1446480253 (2015-11-02T16:04:13Z) Nov 2 16:59:49 backup python2.7: SAML assertion AuthnStatement AuthnInstant = 1446479953 Nov 2 16:59:49 backup python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1446508753 Nov 2 16:59:49 backup python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1 = Scenario 2 syslog Nov 2 17:17:01 backup /USR/SBIN/CRON[4446]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Nov 2 17:17:23 backup univention-saml-stunnel: LOG3[7]: s_connect: connect 10.200.29.50:11212: No route to host (113) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] Backtrace: Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 11 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 10 [builtin] (MemcachePool::get) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:50 (SimpleSAML_Auth_Simple::isAuthenticated) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:249 (SimpleSAML_IdP::isAuthenticated) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:382 (SimpleSAML_IdP::handleAuthenticationRequest) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) Nov 2 17:17:23 backup simplesamlphp[4449]: 3 [51a1e804ad] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:18 (N/A) Nov 2 17:17:23 backup simplesamlphp[4449]: 5 STAT [51a1e804ad] saml20-idp-SSO https://backup.ucs.local/univention-management-console/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Nov 2 17:17:59 backup python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.ucs.local.xml" Nov 2 17:17:59 backup python2.7: SAML assertion issuer is https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php Nov 2 17:17:59 backup python2.7: SAML assertion audience https://backup.ucs.local/univention-management-console/saml/metadata Nov 2 17:17:59 backup python2.7: SAML assertion condition NotBefore = 1446481013 (2015-11-02T16:16:53Z) Nov 2 17:17:59 backup python2.7: SAML assertion condition NotOnOrAfter = 1446481343 (2015-11-02T16:22:23Z) Nov 2 17:17:59 backup python2.7: SAML assertion AuthnStatement AuthnInstant = 1446480664 Nov 2 17:17:59 backup python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1446509843 Nov 2 17:17:59 backup python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.