3 Replies Latest reply on Mar 17, 2017 1:06 AM by pradhap1125

Issue with picketlink IDP in jboss eap 6.1.0 clustered environment

pradhap1125 Mar 3, 2017 1:24 AM

Hi All,

I have a jboss server which is working in master slave configuration with a load balancer in mod_cluster configuration .Both sticky session and session replication are enabled. when I configure picketlink IDP in this environment i'm getting a strange issue .The saml token generated in my IDP is getting expired very earlier even though my session is alive .so when i'm trying to redirect from one SP to another i'm getting redirected to login page of my IDP. I have given token timeout as 1800000 ms(30 min).but it is getting expired very earlier .

After debugging my issue I found that after successful login a session is getting created in one server (assume it as server 1) of my clustered IDP jboss servers .I got redirected to one SP, now when I try to redirect to another SP ,that SP in turn will send a request to IDP to check for any existing SAML token .Here if this request goes to server 1 of my IDP things are working fine I got redirected to the homepage of my second SP .But if that request goes to another server (assume server 2) ,Though session is getting replicated between servers, I'm getting redirected to login page of my IDP.

Here my problem is SAML token generated in my IDP is not getting shared between my clustered JBOSS servers even though session replication is enabled.

one more thing here is that, same set of IDP and SP configuration are working fine in my local i.e, in a non clustered environment of jboss which is running in standalone mode.

can anyone please help me in resolving this issue . I have been surfing in internet for this issue for more than three weeks and still unable to find a solution.

my JBOSS server is EAP 6.1.0 and version of picketlink i'm using is 2.7.1 final

1. Re: Issue with picketlink IDP in jboss eap 6.1.0 clustered environment

pradhap1125 Mar 14, 2017 1:13 AM (in response to pradhap1125)

Dear All,

I found the issue,I forgot the add the following line "<sso cache-container="web" cache-name="sso" domain="example.com" reauthenticate="false"/>" in virtual server tag of domain.xml of jboss (you need to make the same change in standalone.xml if you are going in standalone mode) and now everything is working fine. If anyone have any queries please post it to me.
1 of 1 people found this helpful
Actions
2. Re: Issue with picketlink IDP in jboss eap 6.1.0 clustered environment

oliviersaniez Mar 14, 2017 8:46 AM (in response to pradhap1125)

Thanks for sharing this solution, I had the same problem
Actions
3. Re: Issue with picketlink IDP in jboss eap 6.1.0 clustered environment

pradhap1125 Mar 17, 2017 1:06 AM (in response to oliviersaniez)

Hello Oliver,

By making the configuration change mentioned above the issue will get resolved but there is a problem with authentication cache of server. I found that when user clicks global logout from any of the SP, it will send a logout request to IDP and IDP will invalidate its session and authentication cache of server got cleared ,this is working fine as expected, but when session in IDP got time out ,authentication cache is not getting cleared and when an SP is requesting for a valid token IDP creates a new session and uses authentication cache stored in server and in turn redirects user to homepage of SP instead of login page of IDP.

Please check this condition by making session of IDP to get timed out and check whether it is redirecting to login page or not.

I'm trying to find a solution for this issue and do let me know if you can help me with this.
Actions

Go to original post