Websphere中的OpenID SSO每次重新打开浏览器时都需要身份验证

Question

通过使用以下特性，我定义了Websphere feature来使用OpenID连接提供程序：openidConnectClient-1.0。

除了每次打开浏览器时，都需要用户对其进行身份验证，即关闭浏览器，删除所有身份验证细节。我的配置有什么问题，或者我漏掉了什么？

server.xml

​

<featureManager>
    <feature>jdbc-4.1</feature>
    <feature>jndi-1.0</feature>
    <feature>ldapRegistry-3.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>localConnector-1.0</feature>
    <feature>servlet-3.1</feature>
    <feature>openidConnectClient-1.0</feature>
    <feature>adminCenter-1.0</feature>
    <feature>webCacheMonitor-1.0</feature>
    <feature>jaxrs-1.1</feature>
</featureManager>

<keyStore id="defaultKeyStore" password="xxxxxxx"/>

<httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>

<openidConnectClient authFilterRef="applicationFilter"
                     authorizationEndpointUrl="https://xxxxxxxxxxx/authorize" 
                     clientId="xxxxxxxx"
                     clientSecret="xxxxxxxxxx" 
                     createSession="false" 
                     disableLtpaCookie="false" 
                     grantType="authorization_code" 
                     httpsRequired="true" 
                     id="sso_liberty" 
                     issuerIdentifier="https://xxxxxxxx" 
                     responseType="code" 
                     scope="openid" 
                     signatureAlgorithm="RS256" 
                     tokenEndpointAuthMethod="post" 
                     tokenEndpointUrl="https://xxxxxxxxxxxx/token" 
                     trustAliasName="application_sso" 
                     trustStoreRef="defaultKeyStore" 
                     userIdentityToCreateSubject="sub">
</openidConnectClient>

<ltpa expiration="100h" 
        keysFileName="${server.output.dir}/resources/security/ltpa_new.keys" 
        keysPassword="xxxxx"/>
<authCache timeout="100h"/>

<applicationMonitor updateTrigger="mbean"/>


<ldapRegistry baseDN="O=xxxxxx.COM" 
                host="xxxxx.xxxxx.com" 
                id="LDAP" 
                ignoreCase="true" 
                ldapType="IBM Tivoli Directory Server" 
                port="xxxxx" 
                realm="xxxxxxxxx" 
                searchTimeout="8m">
    <idsFilters groupFilter="xxxxxx" 
                    groupIdMap="xxxx"  
                    groupMemberIdMap="xxxxx" 
                    userFilter="xxxxx" 
                    userIdMap="xxxxx">
    </idsFilters>
</ldapRegistry>

<authFilter id="applicationFilter">
    <webApp id="application.angular" matchType="contains" name="application.angular"/>
    <requestUrl matchType="notContain" urlPattern="/api/icalfeed"/>
</authFilter>

<webApplication id="application.angular" location="application.angular.war" name="application.angular">
    <classloader apiTypeVisibility="spec, ibm-api, third-party"  />
    <application-bnd>
        <security-role name="All Role">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</webApplication>

​

Answer 1

用户的身份验证状态由SSO服务器维护。如果自由安全会话过期或浏览器关闭并重新打开，则user将将用户重定向到SSO服务器，如果browser仍然使用SSO服务器维护有效会话，则不会提示用户重新登录。但是，如果SSO服务器使用浏览器会话cookie来维护用户的身份验证状态，则将要求用户重新登录到SSO服务器。因此，该行为由SSO服务器控制。