I'm half betting the answer to this issue is going to be that it just doesn't work, but here's my scenario.

We have an old Flex application that we are still migrating away from with the end of life for Flash coming next year. That Flex application makes calls to remote services on a Coldfusion/IIS server over the AMF channels.

Recently, we were required by our client to change our authentication to work with their auth provider, which uses a SAML based auth handoff. Since the CF server is ran off IIS, we put Shibboleth on IIS to protect URL/Directories and deal with the hand off back and forth to the auth provider. The auth information comes back in headers and gets sent back to CF which has no problem translating that into usable sessions for any CF/HTML traffic.

Enter Flex and the shitstorm that seems to be AMF engineering. The sessions do a renewal at 5 minutes. So, when a user is in the Flex/Flash Single Page Application, they do their normal work and 5 minutes hits, AMF doesn't initiate or deal with handshakes for the SAML and Shibboleth, just believes there's a dead session and CF returns that to the Flex application.

We kind of get around this by putting an iframe in the same html page as spawns the flash application, which reloads an image file every 15 seconds with a unix timestamp at the end to prevent caching. This works because it still routes through IIS then and causes the handshakes to occur normally, but even with a 68 byte image file and it only happening every 15 seconds per user, it still seems like a resource heavy way to handle the problem, plus there's still a window of time where users can experience the session hang issue if their timing is right.

Has anyone ever dealt with something like this issue before and able to offer an idea of how to force flex/CF/AMF gateways to work properly with auth measures? Is it just a side effect of the sideloading CF and IIS handling the parts with Shibboleth?

Any suggestions or ideas would be great. Honestly, with as little as Flex is used anymore, I really doubt to find an actual solution aside from the workaround we already are using. And unfortunately, asking the provider to increase the validity time beyond 5 minutes isn't realistic either.

Using ColdFusion 2016

0 Answers