08-10-2010 09:21 AM
We have configured multiple SAML servers on our SA6500, to allow the users of different partners log in with their own credentials.
In version 6.4R4, users are able to log in fine, but about 2 times daily, we get the following log message, indicating that the 'saml-server' process has crashed :
- Trace Info : * assertion in assert.cc:368, void DSLogSignalHandler(int), SIGSEGV, 11 frames /lib/tls/libc.so.6 [0x2687c8e8] /home/builds/bld14951/install/bin/saml-server [0x807d79a]
We didn't pay much attention to this at first, but things got worse :
After upgrading (*) to newer releases, this log message starts showing every 2 minutes, while users start complaining they are not always able to log in on the first try.
Are there other SAML users that are seeing these 'saml-server' crashes in their logs or have been able to get rid of them ?
(*) we tried about every newer release that became available during the past 5 months, without success - we were forced to roll-back to 6.4R4 every time.
08-10-2010 10:09 AM
We had a similar issue and the cause was the way the SAML server (Ping Identity) output the XML in the SAML assertion. It was sending AttributeValues that were NULL and sent them like below. This caused the IVE to generate an error in the event log. I suggest you open an case with JTAC and get the contents of the SAML assertions that are being sent from your SAML server if you can.
08-10-2010 11:19 PM - edited 08-11-2010 02:33 AM
Thank you for your follow-up!
We logged the case with JTAC (through our reseller) some months ago (number 2010-0107-0220), and tried various changes since (disabling ssl acceleration, rebooting 2 times after upgrading, failover to the other node, changing to SAML POST,...), but to no avail.
An extra issue is that we cannot reproduce the problem on our SA2500 test setup, which means every try-out has a huge impact on our users and thus has to wait for the next maintenance window, and it also means we cannot trim-down the configuration to exclude various settings.
08-10-2010 11:24 PM
Thank you for this suggestion!
With some luck this could allow us to reproduce the problem in our test environment.
I'll have a talk with our SAML experts & keep you informed.