[RTFACT-20156] Artifactory SSO does not store session URI Created: 19/Sep/19 Updated: 13/Nov/19
|Project:||Artifactory Binary Repository|
|Component/s:||OAuth, SAML SSO|
Artifactory HA with SAML SSO
In our Artifactory clusters we have implemented SAML SSO for UI authentication. We have noticed that the default tomcat web.xml settings for session timeouts are set to 30 minutes.
The issue comes with the fact that the URI a user is actively on is not stored. So when the web session for tomcat expires the user is forced through an SSO check against their SSO provider. The Artifactory SAML plugin is then doing a first time authentication type check against the SSO provider and then redirecting a user back to the home page.
A user then will have to navigate back to their URI again. The only workaround is less secure which is to try and increase the session timeout to make the forced re-auth to SSO less often. This is not a good approach. It would be better for Artifactory to be storing those session URI so that the user is returned to the proper page they were on