Shibboleth SP will not allow a user to log in for a few minutes after he/she log out
Roman_CHRENKO at tempest.sk
Tue Oct 29 05:11:43 EDT 2019
Greetings, I would like to ask you for an advice.
Our Shibboleth Service Provider will not allow a user to log in for a few minutes after he/she log out. How can I disable this behaviour to allow users to log in immediately after logout?
This is our scenario:
1. User is logged in to Shibboleth SP's protected site (i.e. https://www.mydomain.com/private/test1.jsp).
2. Then user sends logout request to IDP (not SAML Request, only GET request to special URL):
3. IDP is configured to send LogoutRequest to SP by front channel (POST binding), so IDP returns SAMLRequest (with LogoutRequest), this is sent by browser to ShibSP, ShibSP returns SAMLResponse (with LogoutResponse) with "Success" status message.
4. User closes browser and opens it again. It lasts longer than "clockSkew" time (10 seconds in our case).
5. User tries to connect to protected site (i.e. https://www.mydomain.com/private/test1.jsp).
6. User will be redirected to IDP, he/she will be logged in (to IDP) again, browser will be redirected to ShibSP (by POST binding, with saml:Response "Success"), but ShibSP will show error page:
The system encountered an error
FatalProfileException at https://www.mydomain.com/Shibboleth.sso/SAML2/POST
A logout message from your identity provider has blocked your login attempt.
The same message is written to shibd.log (WARN Shibboleth.SSO.SAML2  [default]: error processing incoming assertion: A logout message from your identity provider has blocked your login attempt.).
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="10">
# rpm -qa |grep -i shib
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users