[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: IdP 3 password flow login page goes stale
From:       Michael Nielsen <michael.nielsen () cedargate ! com>
Date:       2017-08-24 22:14:37
Message-ID: SN2PR0801MB2303CFD8CA75A1F9569FCFEDEC9A0 () SN2PR0801MB2303 ! namprd08 ! prod ! outlook ! com
[Download RAW message or body]

Thank you so much, Scott, for your helpful reply.

-----Original Message-----
From: users [mailto:users-bounces@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, August 24, 2017 3:58 PM
To: Shib Users <users@shibboleth.net>
Subject: Re: IdP 3 password flow login page goes stale

On 8/24/17, 3:52 PM, "users on behalf of Michael Nielsen" \
<users-bounces@shibboleth.net on behalf of michael.nielsen@cedargate.com> wrote:

> If a user lingers on the login page for too long (> 10 minutes, < 15 
> minutes) and then enters a user name and password, the authentication proceeds but \
> doesn't end up at the correct location on the SP.  After 15 minutes, the \
> authentication fails.

Ending up at the right place is an SP function, it isn't anything the IdP influences. \
If the SP is Shibboleth, one of the options for RelayState is in-memory and I believe \
that does expire eventually, I don't know offhand how long it takes by default but it \
could be 10 minutes.  
On the IdP side, the issue is flat out controlled by Java servlet session behavior, \
that's all that governs whether a webflow conversation stays intact or not. That's up \
to you to control.

Neither is really at all connected to the IdP itself or any of its settings, though \
servlet session timeouts can be manipulated in web.xml if desired. Normally a global \
default change is good enough and doesn't need to be set there.

> One theory was that the login attempt gets bound to an LDAP thread 
> when the page is presented, then the LDAP thread is reaped due to 
> inactivity, since my idp.pool.LDAP.idleTime is 900.  That, in my sketchy view of \
> the function of the IdP, could explain authentication failing after 15 minutes.

No connection at all, there is no stateful relationship to an LDAP server ever.
 
-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]