ADFS not re-authenticating after logout
413 views
Skip to first unread message
Tom Foster
Apr 5, 2016, 6:09:55 PM4/5/16
to SimpleSAMLphp
Hello,
I have been following this guide
I now have Simplesaml working as an SP with ADFS handling the login.
Upon logging out of the simplesaml session, I can immediately revalidate the user without having to re-authenticate via ADFS manually.
Is it possible for Simplesaml to request that the ADFS session be invalidated? and cause a user to re-enter credentials to use the service again?
Bjørn Ove Grøtan
Apr 5, 2016, 6:23:41 PM4/5/16
to simple...@googlegroups.com
Tom Foster:
https://simplesamlphp.org/docs/stable/saml:sp
Specifically look for the ForceAuthN parameter.
This will make your setup a single login (SLO) system rather than a single sign on (SSO).
It might be a bad idea if possible at all to invalidate the ADFS-session - as the user
can have valid auth-session for other service providers. But if it is important for
you to reauthenticate the user for each session, use ForceAuthN-parameter instead.
--
Regards
Bjørn Ove Grøtan
Specifically look for the ForceAuthN parameter.
This will make your setup a single login (SLO) system rather than a single sign on (SSO).
It might be a bad idea if possible at all to invalidate the ADFS-session - as the user
can have valid auth-session for other service providers. But if it is important for
you to reauthenticate the user for each session, use ForceAuthN-parameter instead.
--
Regards
Bjørn Ove Grøtan
Peter Schober
Apr 5, 2016, 6:36:31 PM4/5/16
to SimpleSAMLphp
* Tom Foster <sedo...@gmail.com> [2016-04-06 00:10]:
A UPN is your actual username in MS-Windows, e.g. found via Wikipedia:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
Whereas a transient NameID is defined to be an " identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party." (SAML Core, 8.3.8).
So that's not a good match, you're spilling personal data while
claiming it to be transient, short-lived, opaque data.
> Upon logging out of the simplesaml session, I can immediately
> revalidate the user without having to re-authenticate via ADFS
> manually.
So SLO (Single Logout) failed (if it even was sent). Without logs or
any other technical details there's not much to go on about.
-peter
> I have been following this guide
>
> http://www.lewisroberts.com/2015/09/06/integrating-simplesamlphp-with-adfs-2012r2/
Note that that guide documents to send the UPN as a "transient NameID".
>
> http://www.lewisroberts.com/2015/09/06/integrating-simplesamlphp-with-adfs-2012r2/
A UPN is your actual username in MS-Windows, e.g. found via Wikipedia:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
Whereas a transient NameID is defined to be an " identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party." (SAML Core, 8.3.8).
So that's not a good match, you're spilling personal data while
claiming it to be transient, short-lived, opaque data.
> Upon logging out of the simplesaml session, I can immediately
> revalidate the user without having to re-authenticate via ADFS
> manually.
any other technical details there's not much to go on about.
-peter
Tom Foster
Apr 6, 2016, 5:36:42 AM4/6/16
to SimpleSAMLphp, peter....@univie.ac.at, bgr...@grotan.com
On Tuesday, 5 April 2016 23:36:31 UTC+1, Peter Schober wrote:
Note that that guide documents to send the UPN as a "transient NameID".
A UPN is your actual username in MS-Windows, e.g. found via Wikipedia:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
Whereas a transient NameID is defined to be an " identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party." (SAML Core, 8.3.8).
So that's not a good match, you're spilling personal data while
claiming it to be transient, short-lived, opaque data.
I don't mind about this, it's an internal application, and we use the uid inside the app for various display things.
If you have a better suggestion for how to do the transient name thing, feel free to educate me, I'm learning a lot as I go here.
> Upon logging out of the simplesaml session, I can immediately
> revalidate the user without having to re-authenticate via ADFS
> manually.
So SLO (Single Logout) failed (if it even was sent). Without logs or
any other technical details there's not much to go on about.
-peter
I plan to install a saml sniffer and collect some logs.
@bgrotan:
I tried to do the 'ForceAuthn' => TRUE,like you suggested. However this seemed to have no effect.
Here is my authsource config:
'<CORP>-Fed' => array( 'saml:SP', 'ForceAuthn' => TRUE, 'entityID' => null, 'idp' => 'http://<CORP STS>.com/adfs/services/trust', 'description' => array( 'en' => 'Federation Service', ),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', // ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.) 'sign.logout' => TRUE, 'redirect.sign' => TRUE, 'assertion.encryption' => TRUE, // We now need a certificate and key. The following command (executed on Linux usually) // creates a self-signed cert and key, using SHA256, valid for 2 years. // openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem 'privatekey' => 'my.key', 'certificate' => 'my.pem',
// Enforce the use of SHA-256 by default. 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'),I tried https://<CORP STS>.com/adfs/ls/?wa=wsignout1.0 but I have learnt that this is for WS-Fed logins, not saml logins.
If specific logs or config details would help, please ask for them, as I don't know what would be particularly of use in tracking this down.
Peter Schober
Apr 6, 2016, 5:45:18 AM4/6/16
to SimpleSAMLphp
* Tom Foster <sedo...@gmail.com> [2016-04-06 11:36]:
whether an SLO request is being sent to the IDP or not.
But you can have both using Mozilla Firefox and the SAMLtracer
extension.
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
Not sure what this is for. You specifically request "unspecified" from
the IDP, and then configure the IDP to send "transient", and with the
subject's UPN as value? Those are 3 different things. Anyone taking
over things from you and having to understand those might be tempted
to speak of you in no good terms. :)
> 'privatekey' => 'my.key',
> 'certificate' => 'my.pem',
Are those readable by the user SimpleSAMLphp runs as?
Is the public key included in the SP's metadata (when you access SSP's
web admin UI) and is the key present in the ADFS Relying Party Trust
thingy for that SP?
-peter
> > So SLO (Single Logout) failed (if it even was sent). Without logs or
> > any other technical details there's not much to go on about.
>
> > any other technical details there's not much to go on about.
>
> I plan to install a saml sniffer and collect some logs.
Simply watching the HTTP requests in your browser would confirm
whether an SLO request is being sent to the IDP or not.
But you can have both using Mozilla Firefox and the SAMLtracer
extension.
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
the IDP, and then configure the IDP to send "transient", and with the
subject's UPN as value? Those are 3 different things. Anyone taking
over things from you and having to understand those might be tempted
to speak of you in no good terms. :)
> 'privatekey' => 'my.key',
> 'certificate' => 'my.pem',
Is the public key included in the SP's metadata (when you access SSP's
web admin UI) and is the key present in the ADFS Relying Party Trust
thingy for that SP?
-peter
Tom Foster
Apr 6, 2016, 6:10:53 AM4/6/16
to SimpleSAMLphp
Here is the http trace when I call logout from the application. It certainly seems to be hitting the ADFS endpoint.
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /var/simplesamlphp/www/module.php:170 (N/A) Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy Backtrace: 3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError) 2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse) 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require) 0 /var/simplesamlphp/www/module.php:127 (N/A)
Yes, the keys appear in the ADFS side of things
--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/IrGAypwSJ7o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Peter Schober
Apr 13, 2016, 11:06:03 AM4/13/16
to SimpleSAMLphp
* Tom Foster <sedo...@gmail.com> [2016-04-06 12:10]:
that for you, otherwise you'd have to decode it yourself.
-peter
> Here is the http trace when I call logout from the application. It
> certainly seems to be hitting the ADFS endpoint.
OK, then look at the logout request. SAMLtracer should be able to do
> certainly seems to be hitting the ADFS endpoint.
that for you, otherwise you'd have to decode it yourself.
-peter
Reply all
Reply to author
Forward
0 new messages