Shibboleth SSO doesn't log user out when browser is closed and reopened, seems to be caused by configuration?

Tian, Jian [CRI] JTian1 at bsd.uchicago.edu
Thu Nov 14 16:36:44 EST 2019 

Hello,

My setup is on Windows 10 with IIS7. Shibboleth SP Version 3.4.1. SP is installed as a Windows Service. Testing on Chrome Browser. Since my application is running on IIS, I am using Shibboleth2.XML to configure the Shibboleth service provider.

Due to the requirement of the application, I recently made a change the configuration for the <requestMapper> element. Previously, the Shib SP is protecting everything under the root path. i.e.:

<RequestMapper type="Native">
        <RequestMap>
                                                <Host name="domainName" port="443" scheme="https" requireSession="true" authType="shibboleth">
                                                </Host>
        </RequestMap>
</RequestMapper>`

Now I still needed Shib SP to protect the domain name's root path, but the `/api` sub path needs to be left open for API calls without Auth. Additionally `/api/user' should still be protected as that endpoint is used for login.

<RequestMapper type="Native">
        <RequestMap>
                                                <Host name="domainName" port="443" scheme="https" requireSession="true" authType="shibboleth">
                                                                <Path name="api" requireSession="false" authType="shibboleth">
                                                                                <Path name="user" requireSession="true" authType="shibboleth">
                                                                                </Path>
                                                                </Path>
                                                </Host>
        </RequestMap>
</RequestMapper>

After restarting the Shib SP service, the config works as intended, root and /api/user is protected, the other endpoints under /api are not.

However, the application begin to exhibit a new behavior. Before this change, closing and reopening the browser will log the user out, meaning the SP will detect the user is no longer logged in and redirect user to the login page. Right now though if I request the root path from the browser, the SP does not redirect the user to login page but pass the user straight through to the request page. The problem is even though the user can see the page, he/she is not actually logged in and this cause an exception on the part of application. This problem will keep occuring until user refresh the page, in which case he/she is redirected to the login page like normal. The reason why I think the configuration caused the problem is that 1) Protecting the entire site works fine. 2) If I change the "requiredSession" attribute on the /api `<Path>` element to true, then the site also works as normal. I don't see anything unusual going on in shibd.log.

Right now I am at a loss at what else to try. Can anyone provide some insight into why this problem is occurring, or where to start to debug this?

Thank you,
Jian Tian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191114/e431e002/attachment.html>

More information about the users mailing list