我有一个在 Jetty 上运行的应用程序 (1)，它部署在 Kubernetes 中。在应用程序之上，我们使用另一个部署来启用使用 IDP 提供程序的 apache2/shibboleth SAML2 的 SSO 配置。

因此，具有 apache2/shibboleth 的容器已使用 ingress 公开，并且已使用 httpd.conf 将流量重定向到后端部署（jetty 应用程序）。该应用程序在第一次尝试时运行良好，直到我们使用它为止。如果我们保持应用程序空闲并打开浏览器，它会抛出 CORS 错误

this is the error access to XMLHttpRequest at 'https://eIDP_provider:8443/nidp/saml2/sso?SAMLRequest=hZJPU4MwEMW%2FCpN…NcmKW6W1uSJ9aQmtiBnaU3puhSCt5GHnokA82DtQCwXVM8UfnwwKisVcJJSXqqm2eK3Q%3D%3D'(redirected from 'https://shib_ingress.domain.com/app_jetty/?wicket:interface=:1:searchPanel:p…searchForm:queryTypeSelect::IBehaviorListener:0:&random=0.9935442197361537') from origin 'https://shib_ingress.domain.com/' has been blocked by CORS policy: Response to preflight request doesn't 
pass access control check: No 'access-control-allow-origin' header is present on the requested resource

这里是使用的注释

ingress.kubernetes.io/whitelist-source-range: 10.36.160.128/25
    nginx.ingress.kubernetes.io/affinity: cookie
    nginx.ingress.kubernetes.io/affinity-mode: persistent
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/cors-allow-origin: https://shib_ingress.domain.com
    nginx.ingress.kubernetes.io/cors-max-age: "1728000"
    nginx.ingress.kubernetes.io/keepalive: "6000"
    nginx.ingress.kubernetes.io/proxy-pass-headers: '*'
    nginx.ingress.kubernetes.io/enable-cors: "true" 
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT,GET,POST,OPTIONS" 

app_jetty.conf

ProxyPass /Shibboleth.sso/Status !
ProxyPassReverse /Shibboleth.sso//Status !
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
Header set MyHeader "%D %t"
RequestHeader set X-My-Host-Header "%{custom_host}e"
RequestHeader set X-Role-Host-Header "%{roles}e"
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"

<VirtualHost _default_:8090>
        UseCanonicalName On
        ServerAdmin root@localhost
        ServerName https://shib_ingress.domain.com
        ServerAlias shib_ingress.domain.com

        # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        Header set employeeNumber %{employeeNumber}e
        Header set email %{email}e
        Header set displayName %{displayName}e
        Header set roles %{roles}e
        RequestHeader set email "%{email}e"
        RequestHeader set displayName "%{displayName}e"
        RequestHeader set roles "%{roles}e"
        RequestHeader set employeeNumber "%{employeeNumber}e"
        RequestHeader  set roles %{roles}e
        #Attributes end here

        ProxyPass /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
        ProxyPassReverse /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
        ProxyPass /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
        ProxyPassReverse /app_jetty  https://app.ns.svc.cluster.local:8080/app_jetty
        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1

</VirtualHost>

shib 授权配置

Loadmodule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

ShibCompatValidUser Off

<Location /Shibboleth.sso>
  AuthType None
  Require all granted
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

#Added for app_jetty EIAM Auth
<Location /app_jetty>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

我尝试了多种方法来解决该问题，方法是对应用程序代码和 httpd.conf 实施 access-control-allow-origin，在第一次尝试中它工作正常，但在空闲超时后这些标头不起作用。

60 秒后，该应用程序再次向 IDP 提供商发送请求，因为它已经过身份验证，因此不应向 IDP 提供商发送请求。同样在页面刷新时，它再次与身份验证相同的会话正常工作

我可能缺少一些东西来在应用程序中存储会话在 shibboleth 或应用程序级别或超时设置以增加某处，如果有人知道我们如何修改应用程序以在超时后使用相同的会话或我们如何增加超时时间和地点。 或任何其他缺失的点。