IE11 does not send shib session cookie during global logout

BenJW ben.wxc at gmail.com
Sat Feb 24 22:16:50 EST 2018 

Hi All,

I have two tabs opened on IE, one is running my App (A), the other is
running
another another App (B) [both https]. They are in different domains, but
both configured to support SLO.

If I logout from B(IDP initiated logout from App A`s perspective), one of
the redirects will hit app A and ideally comes with Shib session cookie.
However, this is not the caes.  If i switch back to the other tab that runs
app A after B logout, user is still login, because the shib session has not
been destroyed during global logout workflow.

I`ve tested on Chrome and Firebox, Safari, they all work as expected. On IE,
if I open app A in one tab, no authentication is needed if I open app A in
another tab.

I appreciate if anyone can cast some lights on it. Thanks a lot.

*
BTW, while I am doing research on this topic, some one said it might have
something to do with how IE treat session cookie max-age vs Expires
parameters. *


Here is my shib.xml and apache vhost config.


<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">


    <OutOfProcess>
        <Extensions>
            <Library path="***/memcache-store.so" fatal="true" />
        </Extensions>
    </OutOfProcess>

    <StorageService type="MEMCACHE" id="mc" prefix="shibd:">
      <Hosts>***:****</Hosts>
    </StorageService>

    <StorageService type="MEMCACHE" id="mc-ctx" prefix="shibd:"
buildMap="1">
        <Hosts>****:****</Hosts>
    </StorageService>

    <SessionCache type="StorageService" StorageService="mc-ctx"
StorageServiceLite="mc" />
    <ReplayCache StorageService="mc"/>
    <ArtifactMap StorageService="mc" artifactTTL="180"/>

    <ApplicationDefaults entityID="abc.com"
                         REMOTE_USER="principal"

cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"
                         attributePrefix="abc_"
                         requireConfidentiality="true"
                         requireTransportAuth="true"
                         signing="true"
                         homeURL="https://abc.com/auth/vsso">


   <Sessions lifetime="28800" timeout="3600" relayState="ss:mc"
consistentAddress="false"
    checkAddress="false" handlerSSL="false" cookieProps="; path=/; HttpOnly;
Secure" handlerURL="/sso" redirectLimit="host+whitelist"
redirectWhitelist="****">

            <SSO entityID="****">
              SAML2 SAML1
            </SSO>

            <Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>

            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <Handler type="Session" Location="/Session"
showAttributeValues="false"/>

            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <Errors supportContact="root at localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

        <MetadataProvider type="XML" file="****-bsso.xml"/>

        <AttributeExtractor type="XML" validate="true" reloadChanges="false"
path="attribute-map.xml"/>

        <AttributeResolver type="Query" subjectMatch="true"/>

        <AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>

        <CredentialResolver type="File" key="***sp.key"
certificate=****sp.crt"/>

    </ApplicationDefaults>

    <SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>

</SPConfig>


Vhost conf

<VirtualHost *:8080>
    ServerName https://abc.com

    # CPTY-277
    Header always append X-Frame-Options SAMEORIGIN
    Header set Content-Security-Policy "frame-ancestors 'self';"

    # CPTY-278
    SetEnvIfNoCase Host ^abc\.com set_cookie_secure=true
    Header edit Set-Cookie (.*) "$1; Secure" env=set_cookie_secure

    DocumentRoot /bb/bvault/surveillance_current

    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    #SetEnv force-proxy-request-1.0 1
    #SetEnv proxy-nokeepalive 1



    <LocationMatch "/">
       AuthType shibboleth
       ShibRequestSetting requireSession 1
       require shib-session
       Require valid-user
       ShibUseHeaders On
    </LocationMatch>

    <Location /sso>
        AuthType None
        Require all granted
    </Location>

    <Directory "***">
        Options FollowSymLinks
    </Directory>

    <Directory "****">
        AllowOverride None
        Require all granted
        Options Indexes FollowSymLinks Includes
        DirectoryIndex index.html
        Order deny,allow
        Allow from all
        Options -MultiViews

        DirectoryIndex index.html

        RewriteEngine on
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_URI} "!^/sso"
        RewriteRule ^ index.html [L]
    </Directory>


</VirtualHost>




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list