I have a question about the SSO flow.
Let's say we have 2 MVC applications as clients and an authentication provider
Client 1 has a cookie lifetime of 40 minutes.
Client 2 has a cookie lifetime of 10 minutes (maybe it's more strict for security reasons)
The expiration for the cookies is sliding, e.g. if a user logs in at 12:00 the cookie will expire in 12:40, however if the user makes a call to a page at 12:05 the expiration will subsequently be at 12:45
Now, what we want to do is implement SSO using Identity Server 4
User tries to login to Client A
User is redirected to Identity Server
User logs in on IS - User is redirected back to Client A with tokens
then
User tries to login on Client B
User is redirected on Identity Server
Identity Server cookie exists
User is redirected back to Client B with tokens
What is the correct approach regarding the Identity Server cookie expiration?
For example, upon logging in to the second client, the Identity Server cookie is already set to be 40 minutes long from the previous login. This is a problem due to the need of the second client for a cookie expiration time of 10 minutes.
Related
We are currently using WSO2IS 5.3.0 for authentication, and using Pac4J as a session cache in our application. Each API touches the session cache to keep alive the Pac4J session (so it expires after N minutes of inactivity).
Can the WSO2 session cache be touched in the same way? If so, what's the best method to do so (without too much chatter between WSO2 and our application)?
Whenever Pac4J session is expired you have send authentication request to WSO2 Identity server as per the protocol you are using SAML, OAuth2 ...etc. At the time you send authentication request if IDP session already expired you will be redirected to authentication (login page). If IDP session is not expired you will get authenticated assertion without re-authentication. You can refer [1] about how to control IDP session.
[1] https://docs.wso2.com/display/IS570/Configuring+Session+Timeout
We are going to be using WSO2 Identity server to authenticate users into a web portal. The web portal will contain many sso links to other systems. Currently, the only identity protocol we are using is CAS (From Ellucian).
Our issue is when someone logs into our web portal, using CAS from wso2, then that user browses around through the portal for 10+ minutes, then that user clicks a link to a service relying on the wso2 session, that session has timed out, and the user must log into wso2 again.
Is it possible to programatically extend the user's session by sending something from the web portal periodically? Like a URL call saying "Hey, I'm still using the wso2 session, don't end it please!".
Any request that you will make from that browser to WSO2 IS from your application e.g. portlet, servlet, that will access session will automatically extend it.
If you are using the SSO features of IS, it has a default session idle timeout of 15 minutes. You can increase this timeout as described in [1]. As this is a idle timeout any request that access the session in the IS will delay the session expiry time as described in this answer
[1] https://docs.wso2.com/display/IS510/Configuring+Session+Timeout
What would be the best way to implement single sign on for a group of web applications developed using different back end stacks without using any third part services and without taking them down. How can be the migration be done ?
For single sign on to work, you must have same database table which contains username/password for all the web applications
Create and deploy a web service which has login method with two parameters username and password. This method authenticates user and returns user id and their respective role and login valid upto time.
if user is authenticated FIRST TIME, update valid upto time for that user into
database for which user will remain authenticated. e.g. 10 days from
now
If authentication fails, login method should return false
In each web applications, in webservice callable method, if user login is succeed, create a cookie which should be expired on validupto
time return by web service. Adjust cookie time as per server's timezone
let's guess, user is validated from web application1 and cookie is created which is not going to expired for the next 10 days as per
validupto time
Same user opens web application 2 who is not logged into web appliation2. Here you have to check whether login cookie is found or not, if not call webservice,
webservice will check that user's validupto is more than current time
from db so it will return user id and his respective role, validupto time directly without checking user's credentials
So here again, cookie will be created based on validupto time returns by webservice which will
expire on the same time as web application 1 cookie. So the same user will remain logged into both web application 1 & 2 for the same time.
Once cookie is expired, user will be logged out from both web applications.
This way, you can use as many web applications as you want for Single Sign On.
NOTE: Make sure that you have same fuction in all web application which calls webservices and creates cookie based on web service response.
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.
I want to get your opinion on a security concern regarding Facebook SSO (Or any SSO provider, for that matter).
When a user preforms FB SSO on the mobile and by that performs a sign-in to our app, we pass the token received from FB mobile app to our server, and the server preforms a request to FB to authenticate that the token is valid, and this is not a stolen request.
This is done only for the first time. Theoretically, on every call to our server from now on, we still need to call FB server and keep authenticating the token, as Facebook is our identity server. This obviously not ideal, since every request to our server can not be synchronized with FB server request constantly, performance-wise and for many other reasons.
However, from a security point of view, although all requests are SSL'd, our server does not know that this user token is still valid, and the only way for it to make sure, it to call FB server. (A good example for this is user doing SSO and then removed the app on FB settings.)
What are your thoughts on this issue?