每次我重新打开浏览器时,Websphere Liberty 中的 OpenID SSO 都需要身份验证
OpenID SSO in Websphere Liberty requires authentication every time I reopen a browser
我已将 Websphere Liberty 定义为使用 OpenID Connect Provider by using following feature: openidConnectClient-1.0。
除 Liberty 要求用户在每次打开浏览器时进行身份验证外,一切正常,即关闭浏览器并删除所有身份验证详细信息。我的配置有什么问题,或者我错过了什么?
server.xml:
<featureManager>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
<feature>localConnector-1.0</feature>
<feature>servlet-3.1</feature>
<feature>openidConnectClient-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>webCacheMonitor-1.0</feature>
<feature>jaxrs-1.1</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="xxxxxxx"/>
<httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<openidConnectClient authFilterRef="applicationFilter"
authorizationEndpointUrl="https://xxxxxxxxxxx/authorize"
clientId="xxxxxxxx"
clientSecret="xxxxxxxxxx"
createSession="false"
disableLtpaCookie="false"
grantType="authorization_code"
httpsRequired="true"
id="sso_liberty"
issuerIdentifier="https://xxxxxxxx"
responseType="code"
scope="openid"
signatureAlgorithm="RS256"
tokenEndpointAuthMethod="post"
tokenEndpointUrl="https://xxxxxxxxxxxx/token"
trustAliasName="application_sso"
trustStoreRef="defaultKeyStore"
userIdentityToCreateSubject="sub">
</openidConnectClient>
<ltpa expiration="100h"
keysFileName="${server.output.dir}/resources/security/ltpa_new.keys"
keysPassword="xxxxx"/>
<authCache timeout="100h"/>
<applicationMonitor updateTrigger="mbean"/>
<ldapRegistry baseDN="O=xxxxxx.COM"
host="xxxxx.xxxxx.com"
id="LDAP"
ignoreCase="true"
ldapType="IBM Tivoli Directory Server"
port="xxxxx"
realm="xxxxxxxxx"
searchTimeout="8m">
<idsFilters groupFilter="xxxxxx"
groupIdMap="xxxx"
groupMemberIdMap="xxxxx"
userFilter="xxxxx"
userIdMap="xxxxx">
</idsFilters>
</ldapRegistry>
<authFilter id="applicationFilter">
<webApp id="application.angular" matchType="contains" name="application.angular"/>
<requestUrl matchType="notContain" urlPattern="/api/icalfeed"/>
</authFilter>
<webApplication id="application.angular" location="application.angular.war" name="application.angular">
<classloader apiTypeVisibility="spec, ibm-api, third-party" />
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</webApplication>
用户的身份验证状态由您的 SSO 服务器维护。如果 Liberty 安全会话过期或浏览器关闭并重新打开,Liberty 会将用户重定向到 SSO 服务器,如果浏览器仍保持与 SSO 服务器的有效会话,则不会提示用户重新登录。但是,如果您的 SSO 服务器使用浏览器会话 cookie 来维护用户的身份验证状态,用户将被要求重新登录到您的 SSO 服务器。所以该行为由 SSO 服务器控制。
我已将 Websphere Liberty 定义为使用 OpenID Connect Provider by using following feature: openidConnectClient-1.0。
除 Liberty 要求用户在每次打开浏览器时进行身份验证外,一切正常,即关闭浏览器并删除所有身份验证详细信息。我的配置有什么问题,或者我错过了什么?
server.xml:
<featureManager>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
<feature>localConnector-1.0</feature>
<feature>servlet-3.1</feature>
<feature>openidConnectClient-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>webCacheMonitor-1.0</feature>
<feature>jaxrs-1.1</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="xxxxxxx"/>
<httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<openidConnectClient authFilterRef="applicationFilter"
authorizationEndpointUrl="https://xxxxxxxxxxx/authorize"
clientId="xxxxxxxx"
clientSecret="xxxxxxxxxx"
createSession="false"
disableLtpaCookie="false"
grantType="authorization_code"
httpsRequired="true"
id="sso_liberty"
issuerIdentifier="https://xxxxxxxx"
responseType="code"
scope="openid"
signatureAlgorithm="RS256"
tokenEndpointAuthMethod="post"
tokenEndpointUrl="https://xxxxxxxxxxxx/token"
trustAliasName="application_sso"
trustStoreRef="defaultKeyStore"
userIdentityToCreateSubject="sub">
</openidConnectClient>
<ltpa expiration="100h"
keysFileName="${server.output.dir}/resources/security/ltpa_new.keys"
keysPassword="xxxxx"/>
<authCache timeout="100h"/>
<applicationMonitor updateTrigger="mbean"/>
<ldapRegistry baseDN="O=xxxxxx.COM"
host="xxxxx.xxxxx.com"
id="LDAP"
ignoreCase="true"
ldapType="IBM Tivoli Directory Server"
port="xxxxx"
realm="xxxxxxxxx"
searchTimeout="8m">
<idsFilters groupFilter="xxxxxx"
groupIdMap="xxxx"
groupMemberIdMap="xxxxx"
userFilter="xxxxx"
userIdMap="xxxxx">
</idsFilters>
</ldapRegistry>
<authFilter id="applicationFilter">
<webApp id="application.angular" matchType="contains" name="application.angular"/>
<requestUrl matchType="notContain" urlPattern="/api/icalfeed"/>
</authFilter>
<webApplication id="application.angular" location="application.angular.war" name="application.angular">
<classloader apiTypeVisibility="spec, ibm-api, third-party" />
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</webApplication>
用户的身份验证状态由您的 SSO 服务器维护。如果 Liberty 安全会话过期或浏览器关闭并重新打开,Liberty 会将用户重定向到 SSO 服务器,如果浏览器仍保持与 SSO 服务器的有效会话,则不会提示用户重新登录。但是,如果您的 SSO 服务器使用浏览器会话 cookie 来维护用户的身份验证状态,用户将被要求重新登录到您的 SSO 服务器。所以该行为由 SSO 服务器控制。