Open e30532 opened 6 months ago
Thanks, @e30532. We've been having a discussion on Slack about this and will have a look when we can.
Hi, @e30532. After discussing with @arunavemulapalli, we believe this is not a release bug and is functioning as expected. There is not an affinity requirement between steps 1-4 listed in your post; that requirement was tracked and removed under https://github.com/OpenLiberty/open-liberty/issues/11796. However we do still have an affinity requirement between the ACS endpoint and redirecting back to the service URL (steps 4 and 5 in your post). The SAML token received from the IdP can be large, so we save it in a local cache before creating the authenticated subject and therefore have an affinity dependency there just as you point out. We would track any work to change that behavior as a new feature request, and it would have to go through internal prioritization.
Note: I was requested to open this issue after the discussion with a WebSphere architect.
In the following scenario, if the ACS request (/ibm/saml20/defaultSP/acs) and the redirected service request are handled by the same liberty instance, SAML SSO works as expected. However, it's not guaranteed since session affinity sometimes breaks. Actually, if those requests are handled by different liberty servers respectively, the cache of SAML cookie doesn't exist for the redirect URL and it prevent further SAML SSO processing.
Diagnostic information:
Note: As described in the link below, in the case of tWAS, LTPA token is generated for the ACS request. Thus, LTPA based SSO can be initiated for the redirected service request. https://www.ibm.com/docs/en/was-nd/9.0.5?topic=sign-saml-single-scenarios-features-limitations
The diag trace is available in the internal thread below. https://ibm-cloud.slack.com/archives/C324NP6H5/p1713428806051459?thread_ts=1713172370.822399&cid=C324NP6H5
./Liberty_NG/keycloak/logs/trace.log
./Liberty_OK/keycloak/logs/trace.log