Authenticating with wrong user
rodrigorjo May 17, 2012 11:45 AMHello everyone. I have a critical problem.
After a few months testing some web systems with single sing on with picketlink, we finally deployed those systems to production environment.
There are 7 SPs on the same single sign on. What happens is that it works fine most of the time, but sometimes, when we access one of the Sps it appears a different user. The method FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal() in the Sp returns another completely different user.
I can’t find anything wrong, it is configured exactly like the sales and idp examples. I tried to change to form and redirect, but with both I get the same problems.
It is kind of hard to get this error; I would guess that if I login about 30 times I get one error like this. Of course it is extremely critical and we are on the verge of taking it out of production and back to the old login way. (We used single sign on with a very old version of JOSSO.
This problem never happened while in homologation phase, and we used it a lot in homologation environment for a few months.
I am using picketlink 2.0.2, with 2 systems in JBoss 6 and other 5 in JBoss 5. Those are government systems in a Portal and they have got a lot of access in production.
If necessary I can send the configurations I have, but there is not out of ordinary. Although it probably has nothing to do with the problem, the only difference I can think of is that because we were afraid of time sync issues because of network latency, I configured the systems in the JBoss 6 with a time skew like this:
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="CLOCK_SKEW_MILIS" Value="2000"/>
</Handler>
The servers are almost synchronized, but there is a difference in milliseconds between them. The other systems are all in the same machine and have no time skew.
I am getting out of ideas and desperate. It would be a huge problem to stop using single sign on with picketlink now. Any clue and I would be very grateful. As it is a government site open to public, if somebody wants I can give the address and even create a user for test.
Thank you in advance,
Rodrigo Oliveira