Unexpected Shibboleth Session Removal

[Cantor, Scott]

>
>>. No 'Access-Control-Allow-Origin' header is present on the requested
>>resource. Origin 'https://server.domain.com  is therefore not allowed
>>access.

I'm not really familiar with these new laughable attempts to "secure"
Javascript that people are apparently using now. It's possible that's
involved and one of the servers in the mix (I assume the SP) has to start
sending some headers to work around it. I don't know what the lack of them
end up leading to. It's connecting to the IdP, but seems to be dropping
the query string I guess.

Of course, even if it made the request, you'd be depending on SSO working
at the IdP since the AJAX call can't execute a real login, and it would
break on the SAML POST binding response the IdP issues. So it really
doesn't matter that much.

>During testing I have set my session lifetime to 60 and timeout to 30.
>When I raised this up to the defaults (28800 and 3600 respectively), I
>was still seeing errors more frequently than every hour.
>
>1. Will raising the lifetime and/or timeout help to solve the problem?
>2. Is the session timeout/removal really the cause of my problem?

Not in my opinion. Whatever is happening to the session is not a timeout.
There is not a single documented case of the timeouts not working
correctly, and nobody who has claimed there is has ever followed up. I
have no reason to believe it's broken.


>3. Is there any obvious error, debugging, or configuration that I should
>look at to troubleshoot this issue?

Not really. You can look at native.log for indications of session
complaints, but my opinion is that the cookie's just not being sent on
those requests. Short of tracing every bit of traffic until it
demonstrates a failed case, I don't know what else would work.

An issue with third party cookies would be an obvious cause if there are
any additional domains involved in the content containing the AJAX calls.

-- Scott