[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: RE: IdP 3 password flow login page goes stale
From: Michael Nielsen <michael.nielsen () cedargate ! com>
Date: 2017-08-24 22:14:37
Message-ID: SN2PR0801MB2303CFD8CA75A1F9569FCFEDEC9A0 () SN2PR0801MB2303 ! namprd08 ! prod ! outlook ! com
[Download RAW message or body]
Thank you so much, Scott, for your helpful reply.
-----Original Message-----
From: users [mailto:users-bounces@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, August 24, 2017 3:58 PM
To: Shib Users <users@shibboleth.net>
Subject: Re: IdP 3 password flow login page goes stale
On 8/24/17, 3:52 PM, "users on behalf of Michael Nielsen" \
<users-bounces@shibboleth.net on behalf of michael.nielsen@cedargate.com> wrote:
> If a user lingers on the login page for too long (> 10 minutes, < 15
> minutes) and then enters a user name and password, the authentication proceeds but \
> doesn't end up at the correct location on the SP. After 15 minutes, the \
> authentication fails.
Ending up at the right place is an SP function, it isn't anything the IdP influences. \
If the SP is Shibboleth, one of the options for RelayState is in-memory and I believe \
that does expire eventually, I don't know offhand how long it takes by default but it \
could be 10 minutes.
On the IdP side, the issue is flat out controlled by Java servlet session behavior, \
that's all that governs whether a webflow conversation stays intact or not. That's up \
to you to control.
Neither is really at all connected to the IdP itself or any of its settings, though \
servlet session timeouts can be manipulated in web.xml if desired. Normally a global \
default change is good enough and doesn't need to be set there.
> One theory was that the login attempt gets bound to an LDAP thread
> when the page is presented, then the LDAP thread is reaped due to
> inactivity, since my idp.pool.LDAP.idleTime is 900. That, in my sketchy view of \
> the function of the IdP, could explain authentication failing after 15 minutes.
No connection at all, there is no stateful relationship to an LDAP server ever.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic