Send to login screen on session time out
351 views
Skip to first unread message
Vikas Ahlawat
May 14, 2021, 5:41:29 PM5/14/21
to Pac4j users mailing list
Hi,
Saml session time out after 3 hours, how to redirect to login screen. Right now to do that I have to manually delete the browser history otherwise I am getting this error
"Authentication issue instant is too old or in the future".
I know to fix this error we can set the time in AuthenticationLifetime method. But I want to redirect to login screen after session timeout. Any idea how to do that. I really appreciate any help.
Thank you,
Vikas
Jérôme LELEU
May 17, 2021, 3:02:16 AM5/17/21
to Vikas Ahlawat, Pac4j users mailing list
Hi,
As soon as the web session expires, any call to a protected URL will trigger the login process and the redirection to the IdP.
The error you get: "Authentication issue instant is too old or in the future" is a misconfiguration, it means that the authentication returned by the IdP is too old.
You must properly configure the maximumAuthenticationLifetime property of the SAML2Configuration component to match the IdP configuration.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/709d91ab-bc7b-4318-8a4d-4c6b8154839an%40googlegroups.com.
Vikas Ahlawat
May 17, 2021, 5:46:11 AM5/17/21
to Pac4j users mailing list
Hi Jérôme,
Thank you for the response, but I set the configured as per docs. ADFS Saml token expiry time is 1 hour by default. I am using pac4j-saml having version 4.0.0-RC1.
Can you please check the configuration and help me out with what I am missing?.
Saml configuration:
@Configuration
public class SamlConfiguration {
@Bean
SAML2Configuration saml2Configuration() throws IOException {
SAML2Configuration config = new SAML2Configuration(
new ClassPathResource("keystore.jks"),
"factorlab",
"factorlab",
new ClassPathResource("federationmetadata.xml")
);
config.setForceAuth(false);
config.setPassive(false);
config.setAuthnRequestBindingType(SAMLConstants.SAML2_POST_BINDING_URI);
config.setAuthnRequestSigned(false);
config.setWantsAssertionsSigned(false);
config.setResponseBindingType(SAMLConstants.SAML2_POST_BINDING_URI);
config.setUseNameQualifier(false);
config.setMaximumAuthenticationLifetime(3600);
config.setNameIdPolicyFormat(NameID.EMAIL);
config.setServiceProviderEntityId("testdemo");
config.setSignatureReferenceDigestMethods(List.of("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
config.setSignMetadata(false);
config.setPostLogoutURL("http://localhost:8080/saml/logout");
config.setLogoutHandler(new LogoutHandler() {});
return config;
}
@Bean
SAML2Client saml2Client() throws IOException {
SAML2Client saml2Client = new SAML2Client(saml2Configuration());
saml2Client.setCallbackUrl("http://localhost:8080/saml");
saml2Client.init();
return saml2Client;
}
}
*Thanks and regards*
*Vikas Ahlawat*
public class SamlConfiguration {
@Bean
SAML2Configuration saml2Configuration() throws IOException {
SAML2Configuration config = new SAML2Configuration(
new ClassPathResource("keystore.jks"),
"factorlab",
"factorlab",
new ClassPathResource("federationmetadata.xml")
);
config.setForceAuth(false);
config.setPassive(false);
config.setAuthnRequestBindingType(SAMLConstants.SAML2_POST_BINDING_URI);
config.setAuthnRequestSigned(false);
config.setWantsAssertionsSigned(false);
config.setResponseBindingType(SAMLConstants.SAML2_POST_BINDING_URI);
config.setUseNameQualifier(false);
config.setMaximumAuthenticationLifetime(3600);
config.setNameIdPolicyFormat(NameID.EMAIL);
config.setServiceProviderEntityId("testdemo");
config.setSignatureReferenceDigestMethods(List.of("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
config.setSignMetadata(false);
config.setPostLogoutURL("http://localhost:8080/saml/logout");
config.setLogoutHandler(new LogoutHandler() {});
return config;
}
@Bean
SAML2Client saml2Client() throws IOException {
SAML2Client saml2Client = new SAML2Client(saml2Configuration());
saml2Client.setCallbackUrl("http://localhost:8080/saml");
saml2Client.init();
return saml2Client;
}
}
Controller :
@RestController
@RequestMapping("/saml")
public class TestController {
private final SAML2Client saml2Client;
private SAML2Profile userProfile;
public TestController(SAML2Client saml2Client) {
this.saml2Client = saml2Client;
}
@GetMapping("/metadata")
public String metadata() throws IOException {
return saml2Client.getServiceProviderMetadataResolver().getMetadata();
}
@RequestMapping("/login")
public void login(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
Optional<RedirectionAction> redirect = saml2Client.redirect(context);
redirect.ifPresent((action) -> JEEHttpActionAdapter.INSTANCE.adapt(action, context));
}
@RequestMapping
public String sso(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
try {
Optional<SAML2Credentials> credentials = saml2Client.getCredentials(context);
SAML2Credentials saml2Credentials = credentials.orElseThrow();
userProfile = (SAML2Profile) saml2Credentials.getUserProfile();
return "success: " + userProfile.getId() + "\n NotAfter: " + userProfile.getNotOnOrAfter().toString();
} catch (RedirectionAction action) {
JEEHttpActionAdapter.INSTANCE.adapt(action, context);
return null;
}
}
@RequestMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
SAML2Profile saml2Profile = new SAML2Profile() {
@Override
public String getSessionIndex() {
return userProfile.getSessionIndex();
}
@Override
public String getId() {
return userProfile.getId();
}
};
Optional<RedirectionAction> redirect = saml2Client.getLogoutAction(context, saml2Profile, null);
redirect.ifPresent((action) -> JEEHttpActionAdapter.INSTANCE.adapt(action, context));
}
@RequestMapping("/logout-success")
public String logoutSuccess() {
return "logout success";
}
}
@RequestMapping("/saml")
public class TestController {
private final SAML2Client saml2Client;
private SAML2Profile userProfile;
public TestController(SAML2Client saml2Client) {
this.saml2Client = saml2Client;
}
@GetMapping("/metadata")
public String metadata() throws IOException {
return saml2Client.getServiceProviderMetadataResolver().getMetadata();
}
@RequestMapping("/login")
public void login(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
Optional<RedirectionAction> redirect = saml2Client.redirect(context);
redirect.ifPresent((action) -> JEEHttpActionAdapter.INSTANCE.adapt(action, context));
}
@RequestMapping
public String sso(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
try {
Optional<SAML2Credentials> credentials = saml2Client.getCredentials(context);
SAML2Credentials saml2Credentials = credentials.orElseThrow();
userProfile = (SAML2Profile) saml2Credentials.getUserProfile();
return "success: " + userProfile.getId() + "\n NotAfter: " + userProfile.getNotOnOrAfter().toString();
} catch (RedirectionAction action) {
JEEHttpActionAdapter.INSTANCE.adapt(action, context);
return null;
}
}
@RequestMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) {
JEEContext context = new JEEContext(request, response);
SAML2Profile saml2Profile = new SAML2Profile() {
@Override
public String getSessionIndex() {
return userProfile.getSessionIndex();
}
@Override
public String getId() {
return userProfile.getId();
}
};
Optional<RedirectionAction> redirect = saml2Client.getLogoutAction(context, saml2Profile, null);
redirect.ifPresent((action) -> JEEHttpActionAdapter.INSTANCE.adapt(action, context));
}
@RequestMapping("/logout-success")
public String logoutSuccess() {
return "logout success";
}
}
*Thanks and regards*
*Vikas Ahlawat*
Jérôme LELEU
May 18, 2021, 1:47:00 AM5/18/21
to Vikas Ahlawat, Pac4j users mailing list
Hi,
Which pac4j lib do you use? You shouldn't need to perform the redirection to the SAML IdP by yourself.
The SAML configuration looks correct.
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/02a629d7-d4d7-4982-ac4a-b8b391d6c16en%40googlegroups.com.
Vikas Ahlawat
May 19, 2021, 1:14:55 AM5/19/21
to Pac4j users mailing list
Hi,
I am using
pac4j-saml library having version 4.0.0-RC1.
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-saml</artifactId>
<version>4.0.0-RC1</version>
<scope>runtime</scope>
</dependency>
You shouldn't need to perform the redirection to the SAML IdP by yourself.
> Ok, thanks for the advice. I should configure on Azure Saml configuration right ?.
Thank you,
Vikas
Jérôme LELEU
May 19, 2021, 5:20:48 AM5/19/21
to Vikas Ahlawat, Pac4j users mailing list
Hi,
You should use a pac4j implementation: http://www.pac4j.org/implementations.html
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/901b7525-f1b4-4275-9dda-036384f9f595n%40googlegroups.com.
Vikas Ahlawat
Jun 3, 2021, 10:03:54 AM6/3/21
to Pac4j users mailing list
Hi
Jérôme ,
Can you please guide me on how should I implement the pac4j so after the session time out it will redirect to the login page again ?. I am new to pack4j and don't have that much idea.
Thank you,
Vikas
Jérôme LELEU
Jun 4, 2021, 1:49:55 AM6/4/21
to Vikas Ahlawat, Pac4j users mailing list
Hi,
Any secure endpoint will automatically trigger a login process when the session expires.
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/745304a4-fa7d-4749-9e71-8bcfe6db5fcan%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages