I used "https://localhost:9443/t/carbon.super/api/users/v1/me/sessions" to kill all the sessions.
Service running without a issue. But sessions are still active. What is wrong with me here. I attached images here my response from c# code and response from postman.
Related
I am using WSO2 5.9.0
I deployed the photo-edit and photo-view samples as described here and Service providers created successfully. I also setup the three users following the notes.
I start Tomcat Server and I reach photo-edit app. I login with Lily's credentials (admin user) and the next step is to approve username sharing.
I choose approve once and continue and here is my issue. Nothing happen until session expires. I tried to check tomcat logs but i can't find any helpful information.
I had deployed the Playground2 in the past and authentication point works fine. I also try to change callback URL throw WSO2 dashboard (photo-edit service provider) but i get the same callback URL error.
Any thoughts?
I have an Authentication microservice in Pivotal cloud foundry which is built on Spring SAML2. It is integrated with PingFederate IDP. Whenever this service is invoked from a web application, a JSESSIONID is created. In order for this service to work properly, sticky session needs to be enabled. The http request for auth and the response has to be handled by the same service instance in PCF. However, it is not happening. Request is going out from one instance and response coming back to another instance. Since the response doesn't find the SAML message in current session, the authentication fails. Below is the flow -
Browser-->GoRouter for UI-->Angular UI Service and Nginx Reverse proxy-->GoRouter for API-->Auth Service-->PingFed
PCF allows to have sticky sessions based on JSESSIONID. However, when the web app tries to access Auth service through Nginx reverse proxy, there are 2 VCAP_ID's created for a single JSESSIONID. Due to this, the response from PingFed is not able to reach the same auth service instance from the request went out. So, i would like to know why PCF is creating 2 __VCAP_ID's for a JSESSIONID, when the request comes through reverse proxy?
I tried different storage like redis. But, since the Spring sAML2 works on httpstorage, i was not successful. It will be like hacking the Spring Saml2 which i don't want to do.
I tried to check which app the VCAP_ID's belong to by restage the applications. I got to know that one VCAP_ID was for reverse proxy instance and the other one was for the auth service. So, the VCAP_ID for the reverse proxy is causing the issue and am not sure how to eliminate that.
Expected: PCF should create ONE VCAP_ID for a JSESSIONID per instance.
Actual: PCF creating TWO VCAP_ID's for a JSESSIONID per instance
We are going to be using WSO2 Identity server to authenticate users into a web portal. The web portal will contain many sso links to other systems. Currently, the only identity protocol we are using is CAS (From Ellucian).
Our issue is when someone logs into our web portal, using CAS from wso2, then that user browses around through the portal for 10+ minutes, then that user clicks a link to a service relying on the wso2 session, that session has timed out, and the user must log into wso2 again.
Is it possible to programatically extend the user's session by sending something from the web portal periodically? Like a URL call saying "Hey, I'm still using the wso2 session, don't end it please!".
Any request that you will make from that browser to WSO2 IS from your application e.g. portlet, servlet, that will access session will automatically extend it.
If you are using the SSO features of IS, it has a default session idle timeout of 15 minutes. You can increase this timeout as described in [1]. As this is a idle timeout any request that access the session in the IS will delay the session expiry time as described in this answer
[1] https://docs.wso2.com/display/IS510/Configuring+Session+Timeout
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.
Found an issue Forms authentication Cookie not sharing between the requests to service.
Cookie '.ASPXAUTH'generated and sent to Browser from the Login service successfully, but not sending the Cookie to consequent requests for the same service.
Found When Calling service from Cloud app the request using HTTP 1.1 and for Response it is HTTP 1.0
More observations with the user of Fiddler and other tools:
Working fine for the following circumstances:
Running Service and Client website from local development system
Hosting Service and Client on same IIS (local and remote)
Accessing based on URLs, cookies transmitted properly
Not working for the following circumstances:
Hosting service and Client in different IIS servers.
Hosting Service in IIS (or Azure) and Client from local development system
Some more details:
Both requests made for the same service i.e. same domain, same protocal, same port nr, etc.
Updates at 20-12-2012 15:14:
As I said earlier Login functionality working on Ajax call without fail, Fiddler shows the Set-Cookie on Response, but Browser not reading the Cookie.
Tried to read document.cookies on "complete:" event of $.Ajax(), where I unable to read the cookie. means browser not getting or holding the cookie (where Fiddler shows on the Response of the same)
Regards,
Ramakrishna
Using the Forms Auth, have you performed some actions to take the ASP.NET Session out of process and out of server?
You cannot share the session between servers, so you have to either use SQL Session State provider and put session into SQL Azure, or use the Windows Azure Cache and provided Session State Provider to storage the session into a cache.
I'm sure you are good in using internet search engines, but here is a list of good articles to start with (taking the session out of process):
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_buildingappswithcacheservice_topic3.aspx
http://msdn.microsoft.com/en-us/library/windowsazure/gg185668.aspx
http://msdn.microsoft.com/en-us/library/windowsazure/gg278339.aspx