I have an application and when i logged to the the application, it creates session cookie and SP (Apache 2.4) creates a SAML request and send it along with session cookie to the shibboleth idp V2. on first hit of any protected resource, i am getting response from IDP and SP is doing access control decisions on that,however if i click on any other or same protected resource in the same session,then there is no hit to IDP.My requirement is that on each click on any resource in the application, IDP should be hit every time & send SAML response back to SP. I am guessing that SAML response came very first time is being cached by SP that stops me hitting the IDP again.
I researched in few sites and found that there is forceAuthn=true attribute to be defined in or section in the Shibboleth2.xml or define "ShibRequestSetting forceAuthn true" content in the block in virual host that forces sp to send each request to idp, but it didn't worked out.
Please help to know how can we stop response being cached in SP and allow IDP to take new request from SP.
Related
We are currently using WSO2IS 5.3.0 for authentication, and using Pac4J as a session cache in our application. Each API touches the session cache to keep alive the Pac4J session (so it expires after N minutes of inactivity).
Can the WSO2 session cache be touched in the same way? If so, what's the best method to do so (without too much chatter between WSO2 and our application)?
Whenever Pac4J session is expired you have send authentication request to WSO2 Identity server as per the protocol you are using SAML, OAuth2 ...etc. At the time you send authentication request if IDP session already expired you will be redirected to authentication (login page). If IDP session is not expired you will get authenticated assertion without re-authentication. You can refer [1] about how to control IDP session.
[1] https://docs.wso2.com/display/IS570/Configuring+Session+Timeout
We have a Java based web application which uses SAML 2.0 for SSO. As part of the SSO we have also implemented Single Logout. Can anyone please share info on how to fix the below issue
User logs into IDP(app1)
User clicks on the link to the SP(app2)
User logs out of IDP. A logout request is received by SP and the session is invalidated
User refreshes the browser that has SP(app2) open and the the original IDP request is resubmitted. The SP processes this request as if it came from the IDP. With this the user is still able to navigate/use app2 even though he has logged out of the IDP.
I think the best solution is to go back to IDP and check if the session(based on SAML SessionIndex is valid) but not sure on how we can do it. Note the browser refresh only works within the window specified NotBefore and NotOnOrAfter. If the user tries to refresh out of this window we have logic that rejects the request/response.
The SP should also check for SAML assertion replay.
Every SAML assertion includes a unique ID.
Your SP should keep track of these until they expire (ie until NotOnOrAfter). When you receive a SAML assertion, if the ID has already been seen by your SP, the SAML assertion should be rejected.
We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff
Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot
First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.
Environment - WSO2 IS 5.0.0, sample app
I could invalidate sample application session. but I need to destroy user session in IDP along with sample application session.
Is this a out of the box feature in wso2 ?
If not, how can I do it using IS 5.0.0 or is this supported in IS 5.1.0 ?
Please find answers for your questions.As I remember, you have to install service pack2 to send IDP initiated logout request.
WSO2 IS(5.0, 5.1) does not provide this facility as an out of the box with SP initiated sso.
You can use IDP initiated sso.The flow is explaining in the below.
i). you have to send an IDP initiated logout request to identity provider.
Request should be look like this - https://localhost:9443/samlsso?slo=true
ii). when IS receive a logout request, IS send logout request to other service providers those are configured with IS.
iii). Then invalidate other service providers sessions and service provider send a logout response to IDP(IS).
iv). After receive logout response from service providers, IS destroy its user session for particular user and send a logout response to service provider which requested the logout request.
v). service provider invalidate its own session.