What are the differences between AuthToken, Session ID, Track ID, AuthState ID

[Chin]

Hi All,

I am amazed with the awesomeness of simpleSAMLPhp. I have just started
to learn simpleSAMLphp, and have successfully setup a test environment
to find out how to use simpleSAMLphp. However I am confused about the
number of "ID" used in this system that I need help. I am hoping
someone can briefly explain to me what those IDs are all about.

In general I am not sure why we need to many IDs, below is how I
understand them. I hope someone can correct me and/or explain to me
further.

1) AuthToken : What I have understand so far is that this ID is
created once you have successfully login and authenticated. This ID is
also saved in cookie (both IDP & SP) so that we can use it to
determine if the user is already authenticated when they access IDP or
SP.

2) Session ID : If you are using PHPSESS then both IDP & SP will have
different session ID, this is just for local use?

3) Track ID : I understand the whole process can involve different
servers (at least one for SP, one for IDP), and each process can have
different "actions" e.g. login, logout, authenticating.. how I
understand Track ID is the ID to group related actions/processes
together.

4) Auth State ID : If we use simpleSAMLphp for both SP & IDP, each of
them got its own "State", for example at IDP, when processing
SAMLRequest is one state, when authenticating is another state. Each
state is saved in session, and each state got its own ID?

Did I miss anything? or I have understand it wrongly?

A million thanks!

Best regards
Chin

[Olav Morken]

On Fri, Jun 17, 2011 at 00:01:28 -0700, Chin wrote:
> Hi All,
>
> I am amazed with the awesomeness of simpleSAMLPhp. I have just started
> to learn simpleSAMLphp, and have successfully setup a test environment
> to find out how to use simpleSAMLphp. However I am confused about the
> number of "ID" used in this system that I need help. I am hoping
> someone can briefly explain to me what those IDs are all about.
>
> In general I am not sure why we need to many IDs, below is how I
> understand them. I hope someone can correct me and/or explain to me
> further.
>
> 1) AuthToken : What I have understand so far is that this ID is
> created once you have successfully login and authenticated. This ID is
> also saved in cookie (both IDP & SP) so that we can use it to
> determine if the user is already authenticated when they access IDP or
> SP.

Actually, it is a simple session-fixation protection. Since we create
the session object before the user is authenticated, we can be
vulnerable to session fixation attacks in the presence of a buggy web
application somewhere in the domain. The AuthToken protects against
that by setting a new cookie after login, and checking the session
against that.

> 2) Session ID : If you are using PHPSESS then both IDP & SP will have
> different session ID, this is just for local use?

I'm not sure that I understand what you mean by "local use". The
session ID is usually local to the current domain, the IDP and SP
will therefore typically have two session IDs. As the name implies,
this is the ID that we use when loading and saving an user's session.

> 3) Track ID : I understand the whole process can involve different
> servers (at least one for SP, one for IDP), and each process can have
> different "actions" e.g. login, logout, authenticating.. how I
> understand Track ID is the ID to group related actions/processes
> together.

It is actually more of a non-sensitive session ID. It allows us to
group log messages by the session they belong to, which makes it
easier to debug errors by filtering out information from other
sessions. It is also displayed on various error pages and included in
error reports that are sent.

> 4) Auth State ID : If we use simpleSAMLphp for both SP & IDP, each of
> them got its own "State", for example at IDP, when processing
> SAMLRequest is one state, when authenticating is another state. Each
> state is saved in session, and each state got its own ID?

Yes, one state ID "identifies" one login or logout request, so that we
can keep track of information from the time we receive the request
until we send the response.

This also allows one user to have multiple login/logout requests
occuring more or less simultaneously.

Regards,
Olav Morken
UNINETT / Feide

[anthon...@mobiliya.com]

So how does the IDP and SP keep track of a user thats logged in? the SimpleSAMLAuthToken is the only cookie that looks like its involved in the process

How is the session index related to the AuthnRequest coming from the SP? Thanks in advance

Anthony

[Jaime Perez Crespo]

Hi Anthony,

On 1 Feb 2018, at 18:50 PM, anthon...@mobiliya.com wrote:
> So how does the IDP and SP keep track of a user thats logged in?

You are mixing up concepts here. IdP and SP *don’t* share a session. They both keep track of authenticated users independently, by their own session mechanisms. If we are talking about SimpleSAMLphp, the mechanism is always the same: a session referenced by a cookie. Pretty much as any other application on the web.

> the SimpleSAMLAuthToken is the only cookie that looks like its involved in the process

No. The auth token is just a session-fixation protection mechanism. It’s a cookie set to a value that’s also referenced internally by the session, so that an attacker cannot prefix a session for you, make you login, and then continue to use the prefixed session to impersonate you.

> How is the session index related to the AuthnRequest coming from the SP? Thanks in advance

They are not. Why would they?

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[anthon...@mobiliya.com]

Thanks for clearing it up Jaime!

Anthony