CORS error while accessing the backend kubernetes application from shibboleth kubernetes pods in same cluster

7/31/2021

I have an application(1) running on Jetty which is deployed in Kubernetes. On top of the application, we are using another deployment to enable SSO configuration using apache2/shibboleth SAML2 using IDP provider.

So container having apache2/shibboleth has been exposed using ingress and httpd.conf has been used to redirect the traffic to the backend deployment(jetty app). The application is working fine in the first attempt and works till the time we use it. If we keep the application idle and browser open it is throwing CORS error

this is the error Access to XMLHttpRequest at 'https://eIDP_provider:8443/nidp/saml2/sso?SAMLRequest=hZJPU4MwEMW%2FCpN…NcmKW6W1uSJ9aQmtiBnaU3puhSCt5GHnokA82DtQCwXVM8UfnwwKisVcJJSXQqm2eK3Q%3D%3D'(redirected from 'https://shib_ingress.domain.com/app_jetty/?wicket:interface=:1:searchPanel:p…searchForm:queryTypeSelect::IBehaviorListener:0:&random=0.9935442197361537') from origin 'https://shib_ingress.domain.com/' has been blocked by CORS policy: Response to preflight request doesn't 
pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

here are the annotations used

ingress.kubernetes.io/whitelist-source-range: 10.36.160.128/25
    nginx.ingress.kubernetes.io/affinity: cookie
    nginx.ingress.kubernetes.io/affinity-mode: persistent
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/cors-allow-origin: https://shib_ingress.domain.com
    nginx.ingress.kubernetes.io/cors-max-age: "1728000"
    nginx.ingress.kubernetes.io/keepalive: "6000"
    nginx.ingress.kubernetes.io/proxy-pass-headers: '*'
    nginx.ingress.kubernetes.io/enable-cors: "true" 
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS" 

app_jetty.conf

ProxyPass /Shibboleth.sso/Status !
ProxyPassReverse /Shibboleth.sso//Status !
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
Header set MyHeader "%D %t"
RequestHeader set X-My-Host-Header "%{custom_host}e"
RequestHeader set X-Role-Host-Header "%{roles}e"
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"

<VirtualHost _default_:8090>
        UseCanonicalName On
        ServerAdmin root@localhost
        ServerName https://shib_ingress.domain.com
        ServerAlias shib_ingress.domain.com

        # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        Header set employeeNumber %{employeeNumber}e
        Header set email %{email}e
        Header set displayName %{displayName}e
        Header set roles %{roles}e
        RequestHeader set email "%{email}e"
        RequestHeader set displayName "%{displayName}e"
        RequestHeader set roles "%{roles}e"
        RequestHeader set employeeNumber "%{employeeNumber}e"
        RequestHeader  set roles %{roles}e
        #Attributes end here

        ProxyPass /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
        ProxyPassReverse /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
        ProxyPass /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
        ProxyPassReverse /app_jetty  https://app.ns.svc.cluster.local:8080/app_jetty
        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1

</VirtualHost>

shib authorization conf

LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

ShibCompatValidUser Off

<Location /Shibboleth.sso>
  AuthType None
  Require all granted
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

#Added for app_jetty EIAM Auth
<Location /app_jetty>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

I have tried multiple approaches to solve the issue by implementing the Access-Control-Allow-Origin to application code and httpd.conf, in the first attempt it is working fine but after idle time out these headers doesn't work.

After 60sec the app again sends the request to IDP provider which it should not, as it has been already authenticated. Also on page refresh it again works fine with same session with authentication

I might be missing something to store the session in application at shibboleth or app level or timeout setting to increase somewhere, please if anyone has any idea how we can modify the app to use the same session after timeout or how can we increase the timeout and where. or any other missing point here.

-- gourav chauhan
angular
apache
kubernetes
shibboleth

0 Answers