• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CF2021 SAML Login/Logout Cache not Clearing (possible replay attack...)

Community Beginner ,
Jul 06, 2021 Jul 06, 2021

Copy link to clipboard

Copied

We're running ColdFusion2021 Enterprise and attempting to use the SAML feature where our application is the SP and a customer is the IDP using Azure AD.

 

When we first called ProcessSAMLResponse() it authenticated. Subiquestial calls to ProcessSAMLResponse() are now getting this error: "Possible replay attack occurred as there is no login/logout information associated with this request.".

 

We suspect this is related to the SAMLcache and we feel it's not clearing when it should.

 

In the SP Configuration - the Request Store setting we've tried both the "Default" and "Cache" settings. After it started failing with the "Default" we edited ".../lib/auth-ehcache.xml" and changed the setting: "timeToLiveSeconds" from 600 to 60. Here's the xml:

<cache clearOnFlush="true" memoryStoreEvictionPolicy="LRU" diskExpiryThreadIntervalSeconds="3600" diskPersistent="false" maxElementsOnDisk="10000000" diskSpoolBufferSizeMB="30" overflowToDisk="false" timeToLiveSeconds="60" eternal="false" maxElementsInMemory="10000" name="samlcache">
</cache>

 

After making this change we stopped and restarted the ColdFusion2021 service.

Also, we thought, auth-ehcache.xml might not have the correct file permissions - but it looks correct and tied to "cfuser".

 

Does anyone have any ideas? Anyway to inspect ehcache and/or clear is manually (or via code)? Is there another xml setting we should be adjusting? The error almost seems like a warning message? Is there a way to safely bypass it without compromoizing the authentication process.

 

Many thanks in adance for any suggestions.

TOPICS
Advanced techniques

Views

2.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jul 06, 2021 Jul 06, 2021

Copy link to clipboard

Copied

It sounds like you might be calling processSAMLResponse() on a page that is not the ACS url. When the IDP authenticates you it POSTs back to the ACS url information that processSAMLResponse is looking for. Based on the error message it sounds like that information is not there. On your ACS page, you can create a session varaible and store the relavent information about the user. 

 

There is also the replay attack prevention feature that makes sure the SAML request id is not used more than once, which does use the ehcache to store the ids by default. I don't know of a way to inspect the ehcache, but there is probably a way to do it. You can also use Redis for the cache, and then you can inspect the redis database using a redis client if you think that is the problem. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 14, 2021 Jul 14, 2021

Copy link to clipboard

Copied

Thanks Pete for your timly rely - I wrote this replay last week but just relized it never got Posted until this morning....


We are calling processSAMLResponse() in the same .cfm the IDP calls. However - the cfloginuser called after the processSAMLResponse() happens elseware.


In the .cfm with processSAMLResponse() we do some processing (authentication on our side making sure that incoming user has an acount etc). If the incoming SAML request passes our authentication we build an access token send it over to our regular login application. The app sees the token for this user and does all the login stuff including calling cfloginuser.


We architected this so processSAMLResponse() is actually in a different site (let's call it a semiprivate site). So when we build the login token and when we send it to our regular application (private site), it's Application.cfc sees that for this new session there's no login it'll look for the login token before displaying a login page.


I'm thinking - do you know if processSAMLResponse() need to be in the same site that calls cflogin?


Even so, I would think the cache should have cleared, with the way it's currently architected....


Any additional thoughts? Again - thanks for your help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 06, 2023 May 06, 2023

Copy link to clipboard

Copied

Hi folks I have a similar problem trying to handle an IDP-initiated SSO (from Azure). CF breaks this with it's 'Possible replay attack' error.


I'm sure there's a simple answer to this? Please help.

Current work-around is to <cfcatch> it and redirect to my ACS and have the SP initiate. Certainly not ideal as the user is already authenticated(!).

Many thanks in advance

Will

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 06, 2023 May 06, 2023

Copy link to clipboard

Copied

Duh, sorry i found the setting in cfadmin for the SP. Sorry - delete this

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 20, 2024 Jul 20, 2024

Copy link to clipboard

Copied

Hey Jim, did you happen to figure out how to get this working?
I'm encountering the same issue with "Possible replay attack occurred as there is no login/logout information associated with this request". 
Any guidance is much appreciated!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 21, 2024 Jul 21, 2024

Copy link to clipboard

Copied

Did you follow the steps to configure the IDP/SP?

BKBK_0-1721567965039.png

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 21, 2024 Jul 21, 2024

Copy link to clipboard

Copied

We were only able to get this to work after a regular cf2021 update provided by Adobe.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 21, 2024 Jul 21, 2024

Copy link to clipboard

Copied

Hi @Jim From Test ,

Thanks for sharing that. It is useful advice for anyone who encounters the issue. Adobe's ColdFusion Support: cfsup[at]adobe.com

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 21, 2024 Jul 21, 2024

Copy link to clipboard

Copied

Thanks @Jim From Test and @BKBK, will reach out to cf support for the patch jar.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 29, 2024 Jul 29, 2024

Copy link to clipboard

Copied

For anyone else with similar issues on ColdFusion 2021 with a cluster setup. The solution was to configure /lib/auth-ehcache.xml to enable multicast for distribution to all instances.

  1. Add SP and ISP to the main instance. Copy <instance>/lib/neo-saml.xml to each other instance and restart
  2. Update <instance>/auth-ehcache.xml in each instance
    1. Uncomment cacheManagerPeerProviderFactory
    2. Uncomment cacheManagerPeerListenerFactory and set the hostname, port, and remoteObjectPort. Port should be different between instances
    3. Uncomment cacheEventListenerFactory within samlCache authenication section.
    4. Restart each instance
    5. Attempt to login via SSO

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 29, 2024 Jul 29, 2024

Copy link to clipboard

Copied

LATEST

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation