Hello, Our client has an enterprise application that uses .Net Core ComponentSpace for SSO. Since Web farm with a load balancer is used there, DistributedSqlServerCache was implemented according to the development guide. However, we faced the next timeout issue: 1. User logs in using SSO. During it, three sessions are created: local application (SP) session, IdP session, and ComponentSpace SSO session that is stored in the database. 2. SP session has a sliding expiration timeout, so it is active since the user works in the application. Let's assume IdP has 2 hours session expiration. ComponentSpace SSO session by default has 30 minutes timeout; 3. After an hour of active work user presses "Logout". SP session is terminated, then CanSLO method is called to check if we can do Single Logout. But since by that time ComponentSpace SSO Session is already expired, it returns false and SingleLogout doesn't happen. As the result, the IdP session is still active.
I found out that ComponentSpace SSO Session Timeout can be configured by DistributedSsoSessionStoreOptions.SlidingSessionExpiration and we can set a large value there (like 24 hours). But it seems like a workaround. And it leads to a bigger size of Session storage table. I see that SSO Session is prolonged when working with it. But in our case, it happens only on login and logout actions.
Maybe I am missing something? How did it suppose to work?
|