SAML Global Logout - saml

I have setup two SPs(service provider) with ADFS server.
Currently I can logout well in each SP. However I would like to implement that once the IdP receives logout request, it will invalidate the login session from all the SPs.
Could it be achieve?
NOTE : I am implementing with SAML 2.0 and ADFS(3.0)

Related

SAML SSO Unsure how a user gets to the protected SP page for IDP initiated SAML

I currently maintain an in-house SAML IDP written utilising LightSaml. This has served the company well for the last 2 years working with SP initiated SSO. I have recently been tasked with implementing IDP initiated SSO and I'm not able to work out how the user is automatically redirected to the desired protected page once they're authenticated.
In SP initiated SSO, the user starts at the page they want, therefore the SP knows where they want to end up after being authenticated. So in this case, the SP handles the final redirection.
In IDP initiated SSO, the SP doesn't actually know what protected page the user wants, so could someone explain what happens after the IDP sends the auth response to the SP?
Thanks in advance.
In IdP-initiated SSO, along with the SAML response, the IdP can send relay state. This relay state is the URL the SP should redirect to once SSO completes. If no relay state is sent, the SP will most likely redirect to some default page.
A typical scenario is that the IdP has a portal page with one or more links representing different pages at the SP. If the user clicks link #1, the IdP initiates SSO to the SP and sets the relay state to the page #1 URL. If the user clicks link #2, the IdP initiates SSO to the SP and sets the relay state to the page #2 URL.

How to programmatically extract SAML token for IDP and SP?

I have SSO configured between IDP (ADFS) and SP, and IDP generate SAML token and post to the SP page for authentication. But, I like to create a new application called test-app, and this app should programmatically generate/extract SAML token for IDP and SP by using a pop up login window.
Is it possible?
After I get the SAML token, I intent to use it on a REST webservice of the SP.
The SAML flow requires the SAML token to be generated by the IDP.
The IDP has the private key to sign the SAML token.
You can generate one in your app. but you won't be able to sign it correctly and there is no flow to send it to the IDP.

ADFS as a SAML Service Provider interacting with other Relying Parties

I have a web application that is capable of being a SAML 2.0 IdP as well as a SP, and have successfully implemented SSO between my platform and ADFS, but only when ADFS is the IdP.
This is my first foray into integrating with my platform, using ADFS as a SP and I'm having problems understanding the SSO flow.
In my situation, I have three players: WebApp (IdP), ADFS (SP), RelyingParty (S). The trusts are set up in ADFS, and the user experience is supposed to be a successful login to the RelyingParty having logged in to the WebApp
Setting up a new Claims Provider Trust in ADFS with my web app appear to work perfectly. I can go to my app's IdP-initiated URL which sends an unsolicited SAML message to ADFS's ACS URL. When I do this, I get redirected to /idpinitiatedsignon with the message "You are signed in" and a drop-down of the relying parties I've already set up.
If I click on the login button for the RP, ADFS generates a new AuthNRequest to my web app before eventually getting to the Relying Party.
So, seeing this behaviour, I have two questions:
I would have thought that the initial sign in to ADFS via my IdP-initiated login would have got me though to my RP without the need for going back to the IdP for another sign-in. have I misunderstood, or have I just misconfigured ADFS?
What mechanism is ADFS determining that my IdP is to be used? If I go to the ADFS /adfs/ls/idpinitiatedsignon.aspx page in a browser, I've not involved my IdP at all, and selecting my RP does use my IdP to authorize the user but I've no idea how this is determined since there's no link between the Trust Claims Provider and the Relying Party in ADFS configuration.
What happens if you use loginToRp:
https://your-adfs-server/adfs/ls/IdpInitiated.aspx?loginToRp=your:relying:party:id
You have chosen to use IDP Initiated to ADFS. So ADFS handles the authentication.
If you want to involve your IDP, you need to use SP-Initiated flow from the RelyingParty (S).
Then ADFS will show you the Home Realm Discovery screen and you can pick your IDP.

SAML SSO - How SSO works with SAML

I know how SAML works and i know how SSO works. My understanding of SSO is that IDP creates a cookie in IDP domain (and other domains can not access the cookie) and uses it to authenticate user.
SAML protocol itself doesn't talk anything about SSO. I get confused when they mix SAML with SSO. For eg : IDP initiated SSO etc.
As per my understanding SSO is implemented independent of SAML (using cookie). Please correct me if i'm missing something.

SAML 2.0, Single Logout issue

I have a question regarding SAML 2.0 and SLO.
During SLO, as an Idp we're initiating the logout and sending a logout request to SP and SP is sending back a logout response. We're getting a partial logout on the IDP side and the user is getting logged out on the IDP side, however if I go back to SP site, I am still logged in.
Is this an issue on the IdP side or the SP side? By that I mean should SP terminate the session and send logout response to IDP or is the IdP's job to terminate the sessions on both side?
Thanks
The SP session is the responsibility of the SP. They should kill their session before returning the LogoutResponse to the IdP.