[RTFACT-20156] Artifactory SSO does not store session URI Created: 19/Sep/19  Updated: 13/Nov/19

Status: Open
Project: Artifactory Binary Repository
Component/s: OAuth, SAML SSO
Affects Version/s: 6.12.1
Fix Version/s: None

Type: Improvement Priority: High
Reporter: Bradley Herrin Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: artifactory
Environment:

Artifactory HA with SAML SSO


Issue Links:
Duplicate
duplicates RTFACT-17014 When logging in with SAML we are not ... Open

 Description   

In our Artifactory clusters we have implemented SAML SSO for UI authentication.  We have noticed that the default tomcat web.xml settings for session timeouts are set to 30 minutes.

The issue comes with the fact that the URI a user is actively on is not stored.  So when the web session for tomcat expires the user is forced through an SSO check against their SSO provider.  The Artifactory SAML plugin is then doing a first time authentication type check against the SSO provider and then redirecting a user back to the home page.

 

A user then will have to navigate back to their URI again.  The only workaround is less secure which is to try and increase the session timeout to make the forced re-auth to SSO less often.  This is not a good approach.  It would be better for Artifactory to be storing those session URI so that the user is returned to the proper page they were on

 

 


Generated at Tue Sep 22 18:54:28 UTC 2020 using Jira 8.5.3#805003-sha1:b4933e02eaff29a49114274fe59e1f99d9d963d7.