<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y0000AOdoXASQZOkta Classic EngineSingle Sign-OnAnswered2021-11-19T14:58:47.000Z2021-01-29T17:32:39.000Z2021-02-02T00:13:39.000Z

WłodzimierzT.41540 (Customer) asked a question.

January 29, 2021 at 5:32 PM
Timeout the user with SLO

Hi,

 

I have a system that can be described like this:

  1. CentOS 7 machine that hosts an app
  2. CentOS 7 machine that acts as a reverse proxy to the machine from pt. 1. The only way to access the machine from pt. 1 is via this proxy.

 

I use mod_auth_mellon with OKTA SSO to restrict access to the app. I implemented a timeout solution, so when a user is inactive for 5 minutes, he's redirected to

https://my_server.com/<mellon endpoint>/logout?ReturnTo=https://my_server.com/some_location, which initiates OKTA SLO. So far so good.

 

But when the timeout happens and I log back in, I get a 100% reproducible Bad Request. Apache logs states that the user has lost his SAML cookie (I could get a full error message if you think it would be valuable).

 

I also get the Bad Request when I:

  1. access the app,
  2. change the config of the proxy,
  3. run systemctl restart httpd,
  4. access the app again (relogin) without closing the browser

 

So I figure that the error happens when the system tries to act on invalid/outdated user session. I think that because restarting the browser fixes it. I also came up with a workaround: adding

<Location /some_location>

RequestHeader unset Cookie

</Location>

fixes the first issue, as the session cookie is dropped when user visits the location that he is redirected to after SLO. But the other (restarting the proxy server) still persists, as I'm not visiting the some_location Location and not dropping the cookie.

 

I have three questions:

  1. Is it possible to force relogin (perhaps create a whole new session) the user when he ends up with Bad Request?
  2. Can you suggest any better timeout solution?
  3. What do you think of mod_auth_mellon? Did you have any issues with it in the past? Would you recommend some alternatives?

 

Ideally I would like the timeout to work like this:

  • once 5 minutes of inactivity passes, the user is taken to the OKTA login page,
  • once he successfully authenticates, he's taken back to the location where the logout happened

 

Is it possible to achieve with my current setup (httpd, mod_auth_mellon etc)?

 

Any help would be much appreciated! Please let me know if I should upload my config.

 

Regards,

Wojciech

 

PS there is another workaround: go to chrome://flags, search for SameSite and disable positions 1&3. No bad request on the timeout.

  • 1 answer
  • 700 views

  • User15840128127994021225 (Vendor Management)

    Hello, Wojciech!

     

    Thank you for posting the question! Please open a new case with us, so that one of our Technical Support Engineers will assist you, as your inquiry needs further investigations and troubleshooting.

     

    We are looking forward to hearing from you!

    Expand Post
This question is closed.
Loading
Timeout the user with SLO