每次重新打开浏览器时,Websphere Liberty中的OpenID SSO都需要进行身份验证

时间:2017-06-25 14:45:50

标签: websphere single-sign-on openid websphere-liberty

我已使用以下功能定义了Websphere Liberty以使用OpenID Connect提供程序:openidConnectClient-1.0

除了Liberty要求用户每次打开浏览器时都要进行身份验证,即关闭浏览器删除所有身份验证详细信息之外,所有内容都有效。我的配置有什么问题,或者我错过了什么?

server.xml

<featureManager>
    <feature>jdbc-4.1</feature>
    <feature>jndi-1.0</feature>
    <feature>ldapRegistry-3.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>localConnector-1.0</feature>
    <feature>servlet-3.1</feature>
    <feature>openidConnectClient-1.0</feature>
    <feature>adminCenter-1.0</feature>
    <feature>webCacheMonitor-1.0</feature>
    <feature>jaxrs-1.1</feature>
</featureManager>

<keyStore id="defaultKeyStore" password="xxxxxxx"/>

<httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>

<openidConnectClient authFilterRef="applicationFilter"
                     authorizationEndpointUrl="https://xxxxxxxxxxx/authorize" 
                     clientId="xxxxxxxx"
                     clientSecret="xxxxxxxxxx" 
                     createSession="false" 
                     disableLtpaCookie="false" 
                     grantType="authorization_code" 
                     httpsRequired="true" 
                     id="sso_liberty" 
                     issuerIdentifier="https://xxxxxxxx" 
                     responseType="code" 
                     scope="openid" 
                     signatureAlgorithm="RS256" 
                     tokenEndpointAuthMethod="post" 
                     tokenEndpointUrl="https://xxxxxxxxxxxx/token" 
                     trustAliasName="application_sso" 
                     trustStoreRef="defaultKeyStore" 
                     userIdentityToCreateSubject="sub">
</openidConnectClient>

<ltpa expiration="100h" 
        keysFileName="${server.output.dir}/resources/security/ltpa_new.keys" 
        keysPassword="xxxxx"/>
<authCache timeout="100h"/>

<applicationMonitor updateTrigger="mbean"/>


<ldapRegistry baseDN="O=xxxxxx.COM" 
                host="xxxxx.xxxxx.com" 
                id="LDAP" 
                ignoreCase="true" 
                ldapType="IBM Tivoli Directory Server" 
                port="xxxxx" 
                realm="xxxxxxxxx" 
                searchTimeout="8m">
    <idsFilters groupFilter="xxxxxx" 
                    groupIdMap="xxxx"  
                    groupMemberIdMap="xxxxx" 
                    userFilter="xxxxx" 
                    userIdMap="xxxxx">
    </idsFilters>
</ldapRegistry>

<authFilter id="applicationFilter">
    <webApp id="application.angular" matchType="contains" name="application.angular"/>
    <requestUrl matchType="notContain" urlPattern="/api/icalfeed"/>
</authFilter>

<webApplication id="application.angular" location="application.angular.war" name="application.angular">
    <classloader apiTypeVisibility="spec, ibm-api, third-party"  />
    <application-bnd>
        <security-role name="All Role">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</webApplication>

1 个答案:

答案 0 :(得分:2)

用户的身份验证状态由SSO服务器维护。如果Liberty安全会话过期或浏览器关闭并重新打开,Liberty会将用户重定向到SSO服务器,如果浏览器仍然维护与SSO服务器的有效会话,则不会提示用户重新登录。但是,如果您的SSO服务器使用浏览器会话cookie来维护用户的身份验证状态,则会要求用户重新登录到您的SSO服务器。因此行为由SSO服务器控制。

相关问题
最新问题