Can you please elaborate how the sessions are managed in the WSO2IS. How are the incoming tokens handled, sessions are expired , session protection is done etc.
If you can please point me a link where i can read those information.
Related
We are currently using WSO2IS 5.3.0 for authentication, and using Pac4J as a session cache in our application. Each API touches the session cache to keep alive the Pac4J session (so it expires after N minutes of inactivity).
Can the WSO2 session cache be touched in the same way? If so, what's the best method to do so (without too much chatter between WSO2 and our application)?
Whenever Pac4J session is expired you have send authentication request to WSO2 Identity server as per the protocol you are using SAML, OAuth2 ...etc. At the time you send authentication request if IDP session already expired you will be redirected to authentication (login page). If IDP session is not expired you will get authenticated assertion without re-authentication. You can refer [1] about how to control IDP session.
[1] https://docs.wso2.com/display/IS570/Configuring+Session+Timeout
We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff
I would like to know whether WSO2 Identity Server supports session concurrency management? So i want configure the pre-defined maximum number of open concurrent session for each service provider. When this number was exceeded then either oldest of former session logout or no any login session has been setup.
Exist any possible ways or ideas for session authentication strategy that manage session concurrency in WSO2 Identity Server?
Cab be solved this problem with enabling authentication session persistence?
appreciate for your cooperation
There is No specific way we can track the session to support concurrent session management in such way.
AFAIK in session persistence it only persists some session but no information related to its service provider , therefore we can not limit number of concurrent sessions to be handle by a specific service provider.
To you can get some idea on this by following this guide [1]
[1] https://docs.wso2.com/display/IS510/Enabling+Authentication+Session+Persistence
I have third party thrift services which need to check if user is authenticated using wso2 IS. I am using IS's thriftAuthenticator to authenticate a user and it returns me an authToken.
What I need is the JsessionId for the user and then for each corresponding call pass that JSessionId around and use an aspect to check if that Id has not expired.
My question is how can I find if the JSessionId is still valid for a user and also what is the timeout for that session.
If there are authentication failure exception, client side code can be implemented to retry again by retrieving new thrift sessionid. So, you do not need to worry about session timeout in the server side.
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.