cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X

Odd time limit exceed with SSO, e-signature and Shibboleth

avillanueva
22-Sapphire II

Odd time limit exceed with SSO, e-signature and Shibboleth

In my testing I did not see this come up. When I went to complete an esigned workflow task, I was directed to the SSO popup to authenticate, put in my credentials and this came up. I cannot be certain if I sat too long on the page. Anyone seen this and know if this is an adjustment on the IDP side, a server time issue or user error. Odd part is that if I retried the signoff again, it completed normally. I saw this a few times, perhaps 50% but on retry it completed the task so I know the setup is correct. 

avillanueva_0-1729110105126.png

From what I can tell, Shibboleth is reporting error from what it got back from the IDP.

ACCEPTED SOLUTION

Accepted Solutions
avillanueva
22-Sapphire II
(To:jbailey)
4 REPLIES 4

When we first implemented SSO, we had some issues related to the "SP Session Timeout" setting described here: https://www.ptc.com/en/support/article/CS367592?source=search

 

Not sure if that's related to what you're seeing or not. We had Creo users leaving Creo open an inactive for over an hour, so the default setting caused issues.

avillanueva
22-Sapphire II
(To:joe_morton)

I think this is more likely the cause. 

https://www.ptc.com/en/support/article/CS325329?source=search

There is another timeout related to the reauthsecure for esignature. Its currently at one second. I will try to make it 0 on the test server to see if I get the same message as production. If that is the case, it should be as simple as upping to 2. I doubt it takes decimals. I must have been right on the knife's edge were most of the time it was within a second and sometimes it ticked past. Makes sense why this is so short. Its just used briefly for validating signature and then poof, goes away, cleared for next time.

For the reauthsecure, it should be long enough for the authentication to complete with the IdP and Windchill to get the user variable. Too low of a number and the session will be invalidated before the user variable can be fetched. Remember, the SSO reauth window session gets killed once the user variable is sent to Windchill anyway. That doesn't mean you should set it to 300000000, but more than 1 or 2 may be acceptable based on your infrastructure needs.

 

 

avillanueva
22-Sapphire II
(To:jbailey)

Announcements


Top Tags