I have third party thrift services which need to check if user is authenticated using wso2 IS. I am using IS's thriftAuthenticator to authenticate a user and it returns me an authToken.
What I need is the JsessionId for the user and then for each corresponding call pass that JSessionId around and use an aspect to check if that Id has not expired.
My question is how can I find if the JSessionId is still valid for a user and also what is the timeout for that session.
If there are authentication failure exception, client side code can be implemented to retry again by retrieving new thrift sessionid. So, you do not need to worry about session timeout in the server side.
Related
There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2
We are currently using WSO2IS 5.3.0 for authentication, and using Pac4J as a session cache in our application. Each API touches the session cache to keep alive the Pac4J session (so it expires after N minutes of inactivity).
Can the WSO2 session cache be touched in the same way? If so, what's the best method to do so (without too much chatter between WSO2 and our application)?
Whenever Pac4J session is expired you have send authentication request to WSO2 Identity server as per the protocol you are using SAML, OAuth2 ...etc. At the time you send authentication request if IDP session already expired you will be redirected to authentication (login page). If IDP session is not expired you will get authenticated assertion without re-authentication. You can refer [1] about how to control IDP session.
[1] https://docs.wso2.com/display/IS570/Configuring+Session+Timeout
I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?
It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them.
According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me", and log-in to any service provider while the session is still valid. However, changing this value doesn't seem to have any effect. Users can still log-in to the other service provider even when the SSO Session has supposedly expired.
Searching a bit more threw this JIRA on WSO2 Oxygen Tank, describing exactly the same problem and has a patch that calls setMaxAge on the "Remember me" cookie, but this hasn't fixed the issue.
Furthermore, according to this question sessions in memory must be persisted after 15 minutes, and the persistence doesn't work properly. There are a few patches. Yet still, when I try a value of, say, 30 seconds, I can still log-in on another service provider after the SSO session has supposedly expired, so I don't think it's a persistence issue since the session is still on the cache.
How exactly is the session expired on the identity server? Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
How exactly is the session expired on the identity server?
By default Identity Server 5.0 have session for 15mins and it only can reduce the time using the web.xml (which is at <IS_HOME>/repository/conf/tomcat/carbon/WEB-INF/ folder)
If you installed Service Pack 1 for the Identity Server 5.0, it have the session persistence as well. So using that
Identity Server's session timeout can be increased as mentioned in the docs.
Does it send LogoutRequests to every configured service provider on timeout, or is the expiration only valid for new sessions?
Identity Server session timeout only valid for new sessions, and it does not send any LogoutRequests to service providers to invalidate existing Service Providers' sessions.
Currently we are using wso2 IS 4.1.0 version, entitlements service for policy decisions. As entitlement service is a secured service we authenticate and get the cookie then pass the cookie along with the entitlements service requests. we are using jsessionid cookie and ran into a situation where if the wso2 is goes down we have to restart our app as it has a stale cookie we refresh the cookie on a time interval every 15 min. Is there a way in wso2 is to persist the cookie if it get restarted. we tried commenting the inside wso2is-4.1.0\repository\conf\tomcat\carbon\META-INF.
Can you suggest on how we can configure for persistence of jsessionid cookies in wso2is
Thanks
Kishore
User session (jsessionid) is not persisted in server side. So you can re-authenticated after 15min and get a new jsessionid. (If you received an authenticate failure, you can re authenticated). you need to implement PEP in such way.
If you are using basic authentication to authenticate with entitlement service. You can send both cookie (jsessionid) and basic auth header... if cookie is valid it would be authenticate with cookie, if not use basic auth headers and returns the new cookie to client. you can find some java code for this here.. but this is not for entitlement service but you can use....
[1] https://github.com/soasecurity/soasecurity/blob/master/user-mgt/client/remote-user-400/src/main/java/org/soa/security/sample/user/mgt/SampleUserRoleMgtClient.java