SAML Replay Detection - refresh

We have a Java based web application which uses SAML 2.0 for SSO. As part of the SSO we have also implemented Single Logout. Can anyone please share info on how to fix the below issue
User logs into IDP(app1)
User clicks on the link to the SP(app2)
User logs out of IDP. A logout request is received by SP and the session is invalidated
User refreshes the browser that has SP(app2) open and the the original IDP request is resubmitted. The SP processes this request as if it came from the IDP. With this the user is still able to navigate/use app2 even though he has logged out of the IDP.
I think the best solution is to go back to IDP and check if the session(based on SAML SessionIndex is valid) but not sure on how we can do it. Note the browser refresh only works within the window specified NotBefore and NotOnOrAfter. If the user tries to refresh out of this window we have logic that rejects the request/response.

The SP should also check for SAML assertion replay.
Every SAML assertion includes a unique ID.
Your SP should keep track of these until they expire (ie until NotOnOrAfter). When you receive a SAML assertion, if the ID has already been seen by your SP, the SAML assertion should be rejected.

Related

How to test a SAML Hijack or Replay

We need to manually test a SAML Hijack or Replay.
We have been trying Postman but it only responds with a message that we need to accept javascript. We only want to see a Response from the ACS/SP that the user is logged in. We have full access to the original SAML response via SAML tracer, and we administer the IDP and user database. Does anyone know how to test this?
It would be best if we can do this directly on a browser so we can actually login.

How can I remove session for specific user for specific ServiceProvider in WSO2 IS?

There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2

WSO2IS-5.7.0 OIDC SSO logout without id_token_hint

I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?
It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.

How to force Identity provider to do authentication on every request from SP

I have an application and when i logged to the the application, it creates session cookie and SP (Apache 2.4) creates a SAML request and send it along with session cookie to the shibboleth idp V2. on first hit of any protected resource, i am getting response from IDP and SP is doing access control decisions on that,however if i click on any other or same protected resource in the same session,then there is no hit to IDP.My requirement is that on each click on any resource in the application, IDP should be hit every time & send SAML response back to SP. I am guessing that SAML response came very first time is being cached by SP that stops me hitting the IDP again.
I researched in few sites and found that there is forceAuthn=true attribute to be defined in or section in the Shibboleth2.xml or define "ShibRequestSetting forceAuthn true" content in the block in virual host that forces sp to send each request to idp, but it didn't worked out.
Please help to know how can we stop response being cached in SP and allow IDP to take new request from SP.

Is there the conditional single logout in WSO2 Identity Server?

Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot
First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.