Shibboleth SSO CORS错误 [英] Shibboleth SSO CORS error
问题描述
我们的应用程序(AngularJS + REST)受Shibboleth服务提供商的SSO保护. 问题是,当尝试对REST服务进行Ajax调用时,我们看到CORS错误,说重定向到IDP失败跨域请求被阻止:同一来源策略不允许读取远程资源"
但是,如果我们刷新/重新加载浏览器,则一切正常.我相信cookie并不是第一次创建,而是在强制重新加载后创建的.
显然,这不是每次刷新浏览器的解决方案.
在不重新加载的情况下进行这项工作需要做什么?
感谢您提前提出任何建议.
我自己正在处理此问题.我不认为Shibboleth IDP中不提供任何CORS支持,而我正在使用的解决方案是来自客户端的主动keep-alive ping:
- 定期向Shibboleth auth会话下的某个位置发出Ajax请求,以防止该会话超时(例如使用setTimeout)
- 如果该请求失败,则抛出整页错误,提示用户使用某些内容重新加载页面像这样
只要打开浏览器选项卡并且客户端计算机处于唤醒状态,这至少可以防止:
lifetime(以秒为单位的时间)(默认为28800) SP维护的会话有效的最大持续时间(以秒为单位).实际时间可能小于此值(如果IdP指示该时间应该更短),但永远不会更长.请注意,这不会影响应用程序维护的会话.
如果客户端计算机进入睡眠状态,并且错过了足够的ping操作,或者如果SP的会话存储被清除,则它们将立即获得全屏错误,并可以重新加载以重新认证或重新建立其Shibboleth会话./p>
我认为这是我们在IDP中不使用CORS所能做的最好的事情!
这是Apache配置,最终为我工作,以防其他人落入这里:
RewriteEngine On
<Location />
AuthType Shibboleth
ShibUseHeaders On
ShibRequireSession On
Require valid-user
AuthGroupFile /etc/httpd/groups
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" =""
RewriteRule ^/session-ping$ /yoursessiondoesnotexist [PT,L]
<Location /yoursessiondoesnotexist>
AuthType None
Require all granted
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" !=""
RewriteRule ^/session-ping$ /ok.html [PT,L]
Alias /ok.html /var/www/ok.html
SetEnvIf Request_URI "^/session-ping$" DONTLOG
CustomLog /dev/stdout ncgl env=!DONTLOG
我每隔五秒钟用XHR轮询一次/session-ping,并在收到非200状态代码时抛出您的会话已过期"的模式/调光器.
Our app(AngularJS + REST) is protected by Shibboleth service provider for SSO. The issue is we are seeing CORS errors when trying to make ajax calls for the REST services, saying the redirect to IDP failed "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at"
However if we refresh/reload the browser everything works fine. I believe the cookie is not created first time around, and got created after force reload.
Obviously this is not acceptable solution to refresh the browser every single time.
What needs to be done in order to make this work without reload?
Thanks for any pointers in advance.
I'm dealing with this issue myself. I don't believe there is any CORS support in the Shibboleth IDP, and the solution I'm going with is an active keep-alive ping from the client:
- Periodically make an Ajax request to a location under Shibboleth auth session to keep the session from timing out (using e.g. setTimeout)
- If this request fails, throw up a full page error that prompts the user to reload the page with something like this
As long as the browser tab is open and the client machine is awake, this will prevent XHR errors of this kind for at least session "lifetime":
lifetime(time in seconds) (default is 28800) Maximum duration in seconds that a session maintained by the SP will be valid. The actual time may be less than this value (if an IdP indicates it should be shorter) but will never be longer. Note that this will not influence sessions maintained by an application.
If the client machine goes to sleep and enough pings are missed, or if the SP's session storage is cleared, they'll get the full screen error pretty immediately and get to reload to either reauth or just reestablish their Shibboleth session.
I think that's the best we can do without CORS in the IDP!
Here's the Apache config that ended up working for me in case anyone else lands here:
RewriteEngine On
<Location />
AuthType Shibboleth
ShibUseHeaders On
ShibRequireSession On
Require valid-user
AuthGroupFile /etc/httpd/groups
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" =""
RewriteRule ^/session-ping$ /yoursessiondoesnotexist [PT,L]
<Location /yoursessiondoesnotexist>
AuthType None
Require all granted
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" !=""
RewriteRule ^/session-ping$ /ok.html [PT,L]
Alias /ok.html /var/www/ok.html
SetEnvIf Request_URI "^/session-ping$" DONTLOG
CustomLog /dev/stdout ncgl env=!DONTLOG
I poll /session-ping every five seconds with XHR and throw up my "your session expired" modal/dimmer when it gets a non-200 status code.
这篇关于Shibboleth SSO CORS错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
