SLO Problems

Darren Boss darren.boss at computecanada.ca
Wed Apr 17 09:13:55 EDT 2019


I was starting to feel bad about hijacking this thread but turns out we
really were working on the same issue! I'm still having issue even when
removing the jetty-rewrite.xml completely but now I'm closer to a working
configuration. I see a status 502 for PropagateLogout
(PropagateLogout?SessionKey=N) url when I use the developer console in
chrome. In Firefox the logout now gets to the point where the red x is now
displayed beside each SP and in both browsers I no longer see the error
messages I reported before. I also confirmed in the dev console that the
csp and frameoptions http headers are no longer there.

I wasn't sure that there were many using the Unicon image but I noticed
that it was still getting quickly updated when a new release of the IdP
came out and they recently started using multi-stage builds so it's still
being supported and even if it wasn't it's pretty simple to tweak the
Dockerfile to target new versions of Jetty, Shib IdP or Java and rebuild.


On Tue, Apr 16, 2019 at 7:41 PM Bob Allison <shib at allisonr.us> wrote:

> I am also using that image. I confirmed that removing jetty-rewrite.xml
> completely solved my problems. Only removing the last addRule was not
> enough for me. I guess the question is if there is any reason to have the
> file at all if both rules have been removed.
>
> On Apr 16, 2019, at 13:07, Darren Boss <darren.boss at computecanada.ca>
> wrote:
>
> So I think I tracked it down to Jetty configuration. I'm using the Unicon
> shibboleth-idp-dockerized image although I rebuild it and I do make some
> minor tweaks as a layer on top of their image.
>
>
> https://github.com/Unicon/shibboleth-idp-dockerized/blob/master/opt/shib-jetty-base/etc/jetty-rewrite.xml
>
> I think that's the culprit and that last addRule can be removed. If it
> works I'll create a PR to their project.
>
> On Tue, Apr 16, 2019 at 11:19 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> On 4/16/19, 9:43 AM, "users on behalf of Darren Boss" <
>> users-bounces at shibboleth.net on behalf of darren.boss at computecanada.ca>
>> wrote:
>>
>> > It does look like my problem might be related to running under
>> Kubernetes, specifically that http headers are being set
>> > by the nginx proxy.
>>
>> That doesn't inherently mean the headers are in fact correctly usable out
>> of the box, there still might be a mistake in our understanding.
>>
>> You should NOT need to alter the headers to make logout work, and I have
>> never had to do so in any testing scenarios I've attempted. So either my
>> testing is artificial and doesn't match a real world issue in some way, or
>> people are mistaken somewhere about what Chrome is really saying.
>>
>> -- Scott
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
> --
>
> *Darren Boss*
> *Senior Programmer/Analyst*
> *Programmeur-analyste principal*
> *darren.boss at computecanada.ca <darren.boss at computecanada.ca>*
> *(o) 416.228.1234 x *230
> *(c) 919.525.0083*
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 

*Darren Boss*
*Senior Programmer/Analyst*
*Programmeur-analyste principal*
*darren.boss at computecanada.ca <darren.boss at computecanada.ca>*
*(o) 416.228.1234 x *230
*(c) 919.525.0083*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190417/0745c392/attachment.html>


More information about the users mailing list