Logout Issue

Oak, Joe Joe.Oak at StateAuto.com
Tue Aug 18 14:40:07 EDT 2015 

Hi -

I'm encountering a slightly strange issue with the following configuration:

Windows 2012 OS

-      Apache 2.4

-      Shibboleth-SP 2.5.5

-      Generic HTML5 web site

IdP:  EmpowerID

All servers on the same Intranet and same A.B.x.x

Scenario 1:

-      User attempts to access HTML resource.

-      Shibboleth-SP see no session and correctly redirects to IdP

-      IdP prompts user and authenticates

-      IdP returns Assertion back to Shib (https://xxxx.com/Shibboleth.sso/SAML2/POST)

-      User is now into web site and performs work

Scenario 2:
If the user's session "times out", they log back in as noted above.

Scenario 3:
   If the user requests to be logged out, which issues:  https://xxxx.com/Shibboleth.sso/Logout
And is configured for SAML & Local the session on the Server seems to be closed and removed from the Shib Cache (per Shibd logfile)

If the user now attempts to re-access the site their browser is corrupted and it appears that sessions is "thought" to exist.   Looking in the Shibd log file, I see 14 retries of an AuthNRequest.  Each one indicated a redirect the client, but the client never receives of acts on it.  To recover, the client must clear "Cached Images& file"  &  "Cookies & Other site & plugin data" (chrome)

To add a bit more... If I change the CERT be used on the protected server to an Unsigned Cert, rather than our normal CA-Cert everything works fine.

On the failing session the Server send the client a [FIN,ACK] and the client replies [ack]

On a different server where all scenarios are working the Servers send a [FIN,ACK], the client sends an [ACK], and then client send a final [FIN,ACK], to which the server responses [ACK].   So, not sure why on the failing server that the client is not terminating the session also.



Any thought on what might be causing this behavior and where I might have mis-configured something?

Thanks,
Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150818/57520341/attachment-0001.html>

More information about the users mailing list