I have an application(1) running on Jetty which is deployed in Kubernetes. On top of the application, we are using another deployment to enable SSO configuration using apache2/shibboleth SAML2 using IDP provider.
So container having apache2/shibboleth has been exposed using ingress and httpd.conf has been used to redirect the traffic to the backend deployment(jetty app). The application is working fine in the first attempt and works till the time we use it. If we keep the application idle and browser open it is throwing CORS error
this is the error Access to XMLHttpRequest at 'https://eIDP_provider:8443/nidp/saml2/sso?SAMLRequest=hZJPU4MwEMW%2FCpN…NcmKW6W1uSJ9aQmtiBnaU3puhSCt5GHnokA82DtQCwXVM8UfnwwKisVcJJSXQqm2eK3Q%3D%3D'(redirected from 'https://shib_ingress.domain.com/app_jetty/?wicket:interface=:1:searchPanel:p…searchForm:queryTypeSelect::IBehaviorListener:0:&random=0.9935442197361537') from origin 'https://shib_ingress.domain.com/' has been blocked by CORS policy: Response to preflight request doesn't
pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource
here are the annotations used
ingress.kubernetes.io/whitelist-source-range: 10.36.160.128/25
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/cors-allow-origin: https://shib_ingress.domain.com
nginx.ingress.kubernetes.io/cors-max-age: "1728000"
nginx.ingress.kubernetes.io/keepalive: "6000"
nginx.ingress.kubernetes.io/proxy-pass-headers: '*'
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
app_jetty.conf
ProxyPass /Shibboleth.sso/Status !
ProxyPassReverse /Shibboleth.sso//Status !
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
Header set MyHeader "%D %t"
RequestHeader set X-My-Host-Header "%{custom_host}e"
RequestHeader set X-Role-Host-Header "%{roles}e"
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"
<VirtualHost _default_:8090>
UseCanonicalName On
ServerAdmin root@localhost
ServerName https://shib_ingress.domain.com
ServerAlias shib_ingress.domain.com
# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"
RequestHeader set roles %{roles}e
#Attributes end here
ProxyPass /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
ProxyPassReverse /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
ProxyPass /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
ProxyPassReverse /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
shib authorization conf
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
#Added for app_jetty EIAM Auth
<Location /app_jetty>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
I have tried multiple approaches to solve the issue by implementing the Access-Control-Allow-Origin to application code and httpd.conf, in the first attempt it is working fine but after idle time out these headers doesn't work.
After 60sec the app again sends the request to IDP provider which it should not, as it has been already authenticated. Also on page refresh it again works fine with same session with authentication
I might be missing something to store the session in application at shibboleth or app level or timeout setting to increase somewhere, please if anyone has any idea how we can modify the app to use the same session after timeout or how can we increase the timeout and where. or any other missing point here.