You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Hello Friends, I had posted this as an Atlassian bug, forgive me for the multiple questions and very long detail, but anyone seen this type of problem that can advise please?
Relevant config details:
- clustered on-prem environment.
- Integrated with OneLogin as the IDP
- System Time is EST (3 hours ahead of Customer Time as error messages show, which is PST)
- Last week enabled idle session timeout via this case: https://support.atlassian.com/requests/CSP-308449
- Disabled rememberme and renamed the seraph expected cookie to force all open windows at that time to re-authenticate.
I cannot figure out the exact scenario to consistently reproduce this, but refreshing a page that has been open after the idle session timeout period intermittently produces this error message.
Date: 2022-07-11 14:47:55 (which is 17:47:55 in the log files)
- Valid OneLogin session existed (idle session timeout value for OneLogin is 8 hours)
- Valid Confluence session existing, governed by the JSESSION Cookie, default setting of 60 minutes
- Wait until idle session timeout period completes and refresh page
- Expected result: Confluence recognizes idle session and should call out to OneLogin, which should see a valid OneLogin session for the user and simply send back the SAML response for that user. NOTE that this does sometimes work as expected.
- Note the userName: anonymous setting in the logfiles.
- Hitting back button DOES correctly produce the expected result (redirects to OneLogin which sees a valid OneLogin session and sends back a SAML assertion, reloading the page seamlessly).
Something went wrong
We couldn't log you in. This may be for a variety of reasons. We suggest trying again.
Return to login
If the problem persists, contact your Confluence administrator.
Date: 2022-07-11 14:47:55
See the attached logfile, I added an entry at the bottom to highlight this error:
**** Refreshed a page here from firstname.lastname@example.org.
1) What could be causing this?
2) Please help me understand how clustering operates - is it active/passive? And when does it decide to cutover to the active node and how can I tell that from the logs? Asking because it does look as if node d7677f43 was active earlier today, and in this scenario I was running from node d7677f62. I believe expected results should still work however (redirect to OneLogin who sends back a valid SAML response and page refreshes seamlessly)??
BTW, did find this KB that describes exact same errors, but the SSO Plugin we’re running is a newer version than it suggests upgrading to: https://confluence.atlassian.com/confkb/received-invalid-saml-response-the-response-has-an-inresponseto-attribute-onelogin_-abc-de-fg-while-no-inresponseto-was-expected-after-session-times-out-while-re-authenticating-to-azure-sso-1050548417.html
Our version is 4.2.12, however in the Maintenance, App Compatibility is shows as ‘incompatible’, and there does not seem to be a newer version for this deployment
3) How should we be interpreting plugin compatibility when one says incompatible and yet there’s no newer version?