I am using wso2 apim 4.0.0. I would like to customize (set 1 minute) session timeout for management consoles(publisher, devportal, admin). The way I am following is the official [documentation] (https://apim.docs.wso2.com/en/4.0.0/install-and-setup/setup/security/securing-api-m-web-portals/#configuring-session-time-out) which states to add following lines to deployment.toml configuration file
[tomcat.management_console]
session_timeout = "30m"
[tomcat.global]
session_timeout = "30m"
I tried to modify those configs to 1m:
[tomcat.management_console]
session_timeout = "1m"
[tomcat.global]
session_timeout = "1m"
After restarting, only carbon seems to be affected from changes given above. It invalidates session automatically after a minute. But session timeout for Publisher, Devportal, Admin portals remain unchanged.
I expected the configuration would work on Publisher, Devportal, Admin as well so they invalidate the session after one minute.
I think this is no longer applicable for the publisher,admin and deportals as APIM use OIDC SSO session management methodology for these portals. Portals use IDP side sessions only and by default, it expires at 15mins[1]. From the APIM UI side, we don't use browser sessions and we only check the access token validity period(default 1 hour), if the token has expired we log the user out and might use the refresh token if persisted and then use that token to get a new access token. During that period if the IDP session has expired only the user is redirected to the login page, otherwise the user login happens and the user is redirected to the portal automatically.
Therefore instead of using the above config, you can
Change the session timeout parameter of the resident keymanager from the management console [1]
Update the access token and refresh token timeouts for the publisher, devportal and admin portal service providers.
[1] - https://is.docs.wso2.com/en/latest/guides/login/session-timeout/
Related
There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2
We are currently using WSO2IS 5.3.0 for authentication, and using Pac4J as a session cache in our application. Each API touches the session cache to keep alive the Pac4J session (so it expires after N minutes of inactivity).
Can the WSO2 session cache be touched in the same way? If so, what's the best method to do so (without too much chatter between WSO2 and our application)?
Whenever Pac4J session is expired you have send authentication request to WSO2 Identity server as per the protocol you are using SAML, OAuth2 ...etc. At the time you send authentication request if IDP session already expired you will be redirected to authentication (login page). If IDP session is not expired you will get authenticated assertion without re-authentication. You can refer [1] about how to control IDP session.
[1] https://docs.wso2.com/display/IS570/Configuring+Session+Timeout
We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff
We are going to be using WSO2 Identity server to authenticate users into a web portal. The web portal will contain many sso links to other systems. Currently, the only identity protocol we are using is CAS (From Ellucian).
Our issue is when someone logs into our web portal, using CAS from wso2, then that user browses around through the portal for 10+ minutes, then that user clicks a link to a service relying on the wso2 session, that session has timed out, and the user must log into wso2 again.
Is it possible to programatically extend the user's session by sending something from the web portal periodically? Like a URL call saying "Hey, I'm still using the wso2 session, don't end it please!".
Any request that you will make from that browser to WSO2 IS from your application e.g. portlet, servlet, that will access session will automatically extend it.
If you are using the SSO features of IS, it has a default session idle timeout of 15 minutes. You can increase this timeout as described in [1]. As this is a idle timeout any request that access the session in the IS will delay the session expiry time as described in this answer
[1] https://docs.wso2.com/display/IS510/Configuring+Session+Timeout
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.