Clear the session once the user redirects from ADFS
1,946 views
Skip to first unread message
Arjun Me
Jul 13, 2016, 7:51:52 AM7/13/16
to SimpleSAMLphp
Hi,
I am integrating ADFS login with simplesamlphp and Magento. I can able to login from ADFS and I can able to retrieve the values. Now I want to clear the ADFS and Simplesaml Session Once the user redirected from ADFS. I want to do this, without closing the browser.
I am integrating ADFS login with simplesamlphp and Magento. I can able to login from ADFS and I can able to retrieve the values. Now I want to clear the ADFS and Simplesaml Session Once the user redirected from ADFS. I want to do this, without closing the browser.
Peter Schober
Jul 13, 2016, 8:17:46 AM7/13/16
to SimpleSAMLphp
* Arjun Me <arjunm...@gmail.com> [2016-07-13 13:51]:
It's not clear what "I want to clear the ADFS and Simplesaml Session
Once the user redirected from ADFS" means. Start by describing what
it is that you want to actually achieve and why.
If you are asking about SAML Single Logout: SimpleSAMLphp supports
that, not sure about MS-ADFS when used as SAML 2.0 IDP.
If SSP is used to provide SSO into Magento and you destroy the SSP
session then either Magento itself will be unaccessible or -- if you
kept Magento's sessions fully independent from SSP's session -- you'd
destroy any possibility of Single Logout at the MS-ADFS IDP (and
potentially other SAML SPs used).
So removing the session might make things more insecure, not more
secure, if that's what you're after.
-peter
Once the user redirected from ADFS" means. Start by describing what
it is that you want to actually achieve and why.
If you are asking about SAML Single Logout: SimpleSAMLphp supports
that, not sure about MS-ADFS when used as SAML 2.0 IDP.
If SSP is used to provide SSO into Magento and you destroy the SSP
session then either Magento itself will be unaccessible or -- if you
kept Magento's sessions fully independent from SSP's session -- you'd
destroy any possibility of Single Logout at the MS-ADFS IDP (and
potentially other SAML SPs used).
So removing the session might make things more insecure, not more
secure, if that's what you're after.
-peter
Arjun Manoharan
Jul 13, 2016, 8:31:33 AM7/13/16
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,
First time user logged into ADFS with credentials and I authenticated the user. Now the issue is, When the same user is trying to login with different credentials, I am unable to see the ADFS login screen, It was redirecting to the return url with the previous ADFS users session. If I close the browser and again hit the url, I can able to see the ADFS login screen. Is there any way to show the ADFS login screen without closing the browser from SIMPLESAML.
With Regards
M.Arjun
First time user logged into ADFS with credentials and I authenticated the user. Now the issue is, When the same user is trying to login with different credentials, I am unable to see the ADFS login screen, It was redirecting to the return url with the previous ADFS users session. If I close the browser and again hit the url, I can able to see the ADFS login screen. Is there any way to show the ADFS login screen without closing the browser from SIMPLESAML.
With Regards
M.Arjun
Peter Schober
Jul 13, 2016, 9:15:44 AM7/13/16
to SimpleSAMLphp
* Arjun Manoharan <arjun.m...@zigy.com> [2016-07-13 14:31]:
using Web Single Sign-On (WebSSO or just SSO) within the same browser.
That won't work just like that, since SSO works by establishing a
session with the IDP (referenced in an HTTP Cookie in your web
browser) and as long as that session is active at the IDP (and present
in the browser) you experience "SSO", i.e., you're not asked to
re-authenticate every time an SP sends you to the IDP, which also
means you have no chance to select a different identity to log in
with.
A web browser with HTTP Cookies referencing sessions for many services
on different servers is simply not meant to be shared between several
people (or between several identities of the same person; for the IDP
that's the same thing, it doesn't know that different accounts are
"owned" by the same person).
There are several ways to deal with that.
One is something each subject controls, and that's starting another
browser (or another instance of the same browser, in "private browsing
mode") when you want to switch identities. The good part is that this
works reliably and works everywhere where you either have two
different browsers installed, or where the one browser installed
supports "private browsing mode".
This also allows you to continue working with the previously
established identity and use another browser (instance) for the other
identityy, keeping them both separate.
A very different method would be to (try to) implement SLO (SAML 2.0
Single Logout) everywhere and call logout when you're done with using
the first identity. That should (when done right) destroy any active
sessions at the SP you logged out at/from, at the IDP you got SSO
from, and ideally at any other SP you also used as part of that SSO
session. (That may not always work reliably for many reasons. It may
also not be what you wanted: Maybe you wanted to continue using that
one SP and did not want to logout from that, too.)
Then you'd log in using another identity, just like in the "different
browser (instance") example above, but using only a single browser.
The downsides for the SLO approach are higher technical complexity and
lowered reliability in making this work (as it involves every single
SP and protected application, plus the IDP) and no use of several
identities in parallel is possible. The (only) potential advantage is
that it's maybe easier to explain to technophobes, as it only requires
use of a single browser (instance), and you can't confuse yourself
about what idenity is logged in in what browser (instance). But such
people hopefully do not have to routinely use several identities to
achieve their goals.
There are certainly more ways (e.g. disabling SSP at the IDP
completely) but those all have their downsides and need to be
carefully considered by someone who understands the risks involved.
-peter
> First time user logged into ADFS with credentials and I authenticated the
> user. Now the issue is, When the same user is trying to login with
> different credentials, I am unable to see the ADFS login screen, It was
> redirecting to the return url with the previous ADFS users session. If I
> close the browser and again hit the url, I can able to see the ADFS login
> screen.
OK, so you're asking about user switching or account switching when
> user. Now the issue is, When the same user is trying to login with
> different credentials, I am unable to see the ADFS login screen, It was
> redirecting to the return url with the previous ADFS users session. If I
> close the browser and again hit the url, I can able to see the ADFS login
> screen.
using Web Single Sign-On (WebSSO or just SSO) within the same browser.
That won't work just like that, since SSO works by establishing a
session with the IDP (referenced in an HTTP Cookie in your web
browser) and as long as that session is active at the IDP (and present
in the browser) you experience "SSO", i.e., you're not asked to
re-authenticate every time an SP sends you to the IDP, which also
means you have no chance to select a different identity to log in
with.
A web browser with HTTP Cookies referencing sessions for many services
on different servers is simply not meant to be shared between several
people (or between several identities of the same person; for the IDP
that's the same thing, it doesn't know that different accounts are
"owned" by the same person).
There are several ways to deal with that.
One is something each subject controls, and that's starting another
browser (or another instance of the same browser, in "private browsing
mode") when you want to switch identities. The good part is that this
works reliably and works everywhere where you either have two
different browsers installed, or where the one browser installed
supports "private browsing mode".
This also allows you to continue working with the previously
established identity and use another browser (instance) for the other
identityy, keeping them both separate.
A very different method would be to (try to) implement SLO (SAML 2.0
Single Logout) everywhere and call logout when you're done with using
the first identity. That should (when done right) destroy any active
sessions at the SP you logged out at/from, at the IDP you got SSO
from, and ideally at any other SP you also used as part of that SSO
session. (That may not always work reliably for many reasons. It may
also not be what you wanted: Maybe you wanted to continue using that
one SP and did not want to logout from that, too.)
Then you'd log in using another identity, just like in the "different
browser (instance") example above, but using only a single browser.
The downsides for the SLO approach are higher technical complexity and
lowered reliability in making this work (as it involves every single
SP and protected application, plus the IDP) and no use of several
identities in parallel is possible. The (only) potential advantage is
that it's maybe easier to explain to technophobes, as it only requires
use of a single browser (instance), and you can't confuse yourself
about what idenity is logged in in what browser (instance). But such
people hopefully do not have to routinely use several identities to
achieve their goals.
There are certainly more ways (e.g. disabling SSP at the IDP
completely) but those all have their downsides and need to be
carefully considered by someone who understands the risks involved.
-peter
Arjun Manoharan
Jul 14, 2016, 3:04:29 AM7/14/16
to SimpleSAMLphp, peter....@univie.ac.at
Hi,
Thanks for the help. Based on your suggestion, Now I am using logout, once the user was aunthenticated. But I am getting this error.
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /var/simplesamlphp/simplesamlphp/www/module.php:180 (N/A) Caused by: sspmod_saml_Error: Responder Backtrace: 3 /var/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError) 2 /var/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse) 1 /var/simplesamlphp/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require) 0 /var/simplesamlphp/simplesamlphp/www/module.php:137 (N/A)
With Regards
M.Arjun
Peter Schober
Jul 14, 2016, 5:29:49 AM7/14/16
to SimpleSAMLphp
* Arjun Manoharan <arjun.m...@zigy.com> [2016-07-14 09:04]:
Responder, i.e., from the SAML IDP.
-peter
> Thanks for the help. Based on your suggestion, Now I am using logout, once
> the user was aunthenticated. But I am getting this error.
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /var/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder
No idea. That just tells me that its an error message from the
> the user was aunthenticated. But I am getting this error.
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /var/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder
Responder, i.e., from the SAML IDP.
-peter
Reply all
Reply to author
Forward
0 new messages