OpenID SSO in Websphere Liberty requires authentic

2019-06-09 14:50发布

问题:

I've defined Websphere Liberty to use OpenID Connect Provider by using following feature: openidConnectClient-1.0.

Everything works file except that Liberty requires from user to authenticate every time it open browser, i.e. closing browser removing all authentication details. What's wrong with my configuration or maybe I've missed something?

server.xml:


<featureManager>
    <feature>jdbc-4.1</feature>
    <feature>jndi-1.0</feature>
    <feature>ldapRegistry-3.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>localConnector-1.0</feature>
    <feature>servlet-3.1</feature>
    <feature>openidConnectClient-1.0</feature>
    <feature>adminCenter-1.0</feature>
    <feature>webCacheMonitor-1.0</feature>
    <feature>jaxrs-1.1</feature>
</featureManager>

<keyStore id="defaultKeyStore" password="xxxxxxx"/>

<httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>

<openidConnectClient authFilterRef="applicationFilter"
                     authorizationEndpointUrl="https://xxxxxxxxxxx/authorize" 
                     clientId="xxxxxxxx"
                     clientSecret="xxxxxxxxxx" 
                     createSession="false" 
                     disableLtpaCookie="false" 
                     grantType="authorization_code" 
                     httpsRequired="true" 
                     id="sso_liberty" 
                     issuerIdentifier="https://xxxxxxxx" 
                     responseType="code" 
                     scope="openid" 
                     signatureAlgorithm="RS256" 
                     tokenEndpointAuthMethod="post" 
                     tokenEndpointUrl="https://xxxxxxxxxxxx/token" 
                     trustAliasName="application_sso" 
                     trustStoreRef="defaultKeyStore" 
                     userIdentityToCreateSubject="sub">
</openidConnectClient>

<ltpa expiration="100h" 
        keysFileName="${server.output.dir}/resources/security/ltpa_new.keys" 
        keysPassword="xxxxx"/>
<authCache timeout="100h"/>

<applicationMonitor updateTrigger="mbean"/>


<ldapRegistry baseDN="O=xxxxxx.COM" 
                host="xxxxx.xxxxx.com" 
                id="LDAP" 
                ignoreCase="true" 
                ldapType="IBM Tivoli Directory Server" 
                port="xxxxx" 
                realm="xxxxxxxxx" 
                searchTimeout="8m">
    <idsFilters groupFilter="xxxxxx" 
                    groupIdMap="xxxx"  
                    groupMemberIdMap="xxxxx" 
                    userFilter="xxxxx" 
                    userIdMap="xxxxx">
    </idsFilters>
</ldapRegistry>

<authFilter id="applicationFilter">
    <webApp id="application.angular" matchType="contains" name="application.angular"/>
    <requestUrl matchType="notContain" urlPattern="/api/icalfeed"/>
</authFilter>

<webApplication id="application.angular" location="application.angular.war" name="application.angular">
    <classloader apiTypeVisibility="spec, ibm-api, third-party"  />
    <application-bnd>
        <security-role name="All Role">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</webApplication>

回答1:

User's authentication status is maintained by your SSO server. If Liberty security session expires or browser is closed and reopened, Liberty will redirect user to SSO server, and user will not be prompted for relogin if browser still maintains a valid session with SSO server. However, if your SSO server uses browser session cookie to maintain user's authentication status, user will be asked to relogin to your SSO server. So the behavior is controlled by SSO server.