Shibboleth SSO doesn't log user out when browser is closed and reopened, seems to be caused by configuration?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SSO doesn't log user out when browser is closed and reopened, seems to be caused by configuration?

Tian, Jian [CRI]

Hello,

 

My setup is on Windows 10 with IIS7. Shibboleth SP Version 3.4.1. SP is installed as a Windows Service. Testing on Chrome Browser. Since my application is running on IIS, I am using Shibboleth2.XML to configure the Shibboleth service provider.

 

Due to the requirement of the application, I recently made a change the configuration for the <requestMapper> element. Previously, the Shib SP is protecting everything under the root path. i.e.:

 

<RequestMapper type="Native">

        <RequestMap>

                                                <Host name="domainName" port="443" scheme="https" requireSession="true" authType="shibboleth">

                                                </Host>

        </RequestMap>

</RequestMapper>`

 

Now I still needed Shib SP to protect the domain name's root path, but the `/api` sub path needs to be left open for API calls without Auth. Additionally `/api/user' should still be protected as that endpoint is used for login.

 

<RequestMapper type="Native">

        <RequestMap>

                                                <Host name="domainName" port="443" scheme="https" requireSession="true" authType="shibboleth">

                                                                <Path name="api" requireSession="false" authType="shibboleth">

                                                                                <Path name="user" requireSession="true" authType="shibboleth">

                                                                                </Path>

                                                                </Path>

                                                </Host>

        </RequestMap>

</RequestMapper>

 

After restarting the Shib SP service, the config works as intended, root and /api/user is protected, the other endpoints under /api are not.

 

However, the application begin to exhibit a new behavior. Before this change, closing and reopening the browser will log the user out, meaning the SP will detect the user is no longer logged in and redirect user to the login page. Right now though if I request the root path from the browser, the SP does not redirect the user to login page but pass the user straight through to the request page. The problem is even though the user can see the page, he/she is not actually logged in and this cause an exception on the part of application. This problem will keep occuring until user refresh the page, in which case he/she is redirected to the login page like normal. The reason why I think the configuration caused the problem is that 1) Protecting the entire site works fine. 2) If I change the "requiredSession" attribute on the /api `<Path>` element to true, then the site also works as normal. I don't see anything unusual going on in shibd.log.

 

Right now I am at a loss at what else to try. Can anyone provide some insight into why this problem is occurring, or where to start to debug this?

 

Thank you,

Jian Tian

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SSO doesn't log user out when browser is closed and reopened, seems to be caused by configuration?

Cantor, Scott E.
FYI, there is no such thing as V3.4.1, the SP is on 3.0.4 IIRC.

You're describing impossible behavior, so you're misinterpreting something. If you want to track session handling in detail per request, use the native log information in the Event Log to track what it's doing when the request is made. It's possible to derive much of that from shibd.log but more indirectly, it takes more knowledge of the internals.

In general, closing a browser has nothing to do with logout, and nothing the SP does has much influence on it. Whether you're logged in or not across closure will not change based on changing the RequestMap. You are or aren't, and either is possible, that's up to the browser.

If you really want a deep dive to help diagnose it, this would need to go through member support; I can let you know who to contact to get access to those mechanisms on behalf of UC if you contact me offline.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]