I have 2 SPs that use the same idP.
The idP uses simplesamlphp, and I have the 2 SPs configured in saml20-sp-remote.php
The 2 SPs use laravel, and I am able to login using each of the SPs individually, and am able to use the same login in the 2 SPs, as expected.
I do believe that I am missing something here to achieve passive authentication.
What I am trying to do is: I click on the login link on SP1, I get redirected to the login page on my idP and after that to the callback URL in SP1. I can confirm that I am authenticated in SP1, and I would like to go to SP2, click the login link and get redirected back with a login, which doesn't happen. If I set passive mode to true I simply get redirected back with no user logged in, and if I set passive mode to false I get the login form, so I need to insert the same credentials for logging into SP2.
What am I missing?
Just to allow a more detailed troubleshooting or others finding this in the future, I am using the Aacotroneo\Saml2 package for Laravel.
I have overridden the default login method in the SAMLController to this (this was actually the second version, the first parameter was set to get back to the default login URL and I forwarded it to the ACS route hoping to reuse the existing logic):
public function login(Saml2Auth $saml2Auth)
$saml2Auth->login('/sso/acs', [], false, true, false, true);
}
Regardless of the redirection URL, I am not able to login with isPassive set to true (4th parameter).
I have looked into the idP logs and also tracked down the error in the callback in Laravel to this message:
The status code of the Response was not Success, was Responder >
Passive authentication not supported.
However, I have read that this error can be triggered either by a nonexisting login in idP for that SP as well as for other reasons.
With that in mind, I am a little bit lost.
It seems like the idP is not recognizing the SPs as being related, and does not tell SP2 that there is a user logged in from SP1.
Any hints on missing configurations or additional troubleshooting I can do?
Thank you
If you also get the login screen again on your IdP even when passive turned off, the problem is not in the use of isPassive, but appearently your IdP does not support single sign on or it does not work. Maybe there's a session management issue (something with cookies, session storage backend or periodic cleanup) that prevents the SimpleSAML IdP from finding the session of returning ussers?
Related
I'm trying to integrate Okta as a third party Identity Provider for a system I am working on that is using the IdentityServer 3 framework to support my customers that use Okta. I have everything working great except log out. When a user logs out of my system, it initiates the end session call back to Okta to log the user out. My problem is that the Identity Server is sending a session id along with the post logout redirect uri for context, but Okta refuses to accept the redirect uri because it is not known. I've tried multiple variations in the setup in Okta for this url but because the id value is dynamic, i'm not able to specify an exact url. Is there a way to have it support any urls that are going to a specific hostname or even up to the page path? I've tried adding my host into the API security area for trusted origins but it did not work either. I've also tried overriding the postback url for my system to be a static page, but then the IdentityServer Signout message cookie is never cleaned up correctly. This same code works without any problems when running for Azure as the IDP. Has anyone run into this before and have any thoughts? Any help is appreciated.
An example of the post to Okta at signout with the postback url is something like this,
https://dev-xx.oktapreview.com/oauth2/default/v1/logout?post_logout_redirect_uri=https%3a%2f%2fmyurl.com%2fidp%2flogout%2f%3fid%3d83617adbc6769e5d4d0fbca4dced3991&max_age=5&id_token_hint=eyJraWQiOiJ1aXJYc1RYTkTVVGenBXU1JfMWt6WndNSXBQQUVqT0dndWhjbloxR3pNIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHU4eTlrajNyT2NreW11cTBoNyIsIm5hbWUiOiJKYW1lcyBSZWFtZXMiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiamFtZXMucmVhbWVzQHJlYWxwYWdlLmNvbSIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtNDg5MDgyLm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6IjBvYWVvdXMycWFJTWJ3U0dhMGg3IiwiaWF0IjoxNTM2MjQ5NzY2LCJleHAiOjE1MzYyNTMzNjYsImp0aSI6IklELlVUem5sTC1FRUY0aHFoZlNSbG5wV1cyUGRxQzlBRk1PcDZiOTh6UERRUUEiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwbzh5OWZycXVmOFlpaG50MGg3Iiwibm9uY2UiOiI2MzY3MTg0NjU0NTA1NzI4ODQuWldOaVlqZG1aamt0Wm1Fd01TMDBNVGc1TFRreE4yTXRaR1kzTWpreVl6ZGpOekprTm1GbU16WTJaRFl0TURBeE15MDBNMkUwTFdJM01ERXRNek5oWTJOaU1qZ3daamd4IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamFtZXMucmVhbWVzQHJlYWxwYWdlLmNvbSIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiUmVhbWVzIiwiem9uZWluZm8iOiJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXBkYXRlZF9hdCI6MTUyMzYyNjUzMiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF1dGhfdGltZSI6MTUzNjI0OTc2NiwiY19oYXNoIjoiMWoxa1JTSGhObGRGWGNmSDdCQXRBUSJ9.gvG_8dnlAMr9XI-atCjIKVF04L4oMzerXmeT0BAG76RLle-q2pgb8PDvV4cTicLH16QLzboSgocC6t6WoegbUeJLLuzZHd2rQkm8Y4iRheoV05uKhd2mpLA9LyexlJ9oVJ8Xi_D4BqN_bygphAv79B4L8-Ezz3YgGDmSkK3WutB55_r_7XM0OCCCetvNu4S8KXbKHUxgg5cpQ6y7o-d5eIH6I8bpoOoA0gy7Liwsm7IyQUe5_jdorObgBHIEfDx4mjNRENJUQ7InASwbL7eND7COZYyXRwzn7vHU0_XkBaUW9wsY-VJUaihOwEcgVS1MPbGLoSUY9k0TmcUVN3-Q&state=83617adbc6769e5d4d0fbca4dced3991&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554
the id=83617... is what is tripping up Okta from trusting the redirect url. I've tried adding all of these combinations of urls into the logout redirect uri setup and none let it accept it,
https://myurl.com/idp/logout/
https://myurl.com/idp/logout/?id=
https://myurl.com/idp/logout?id=
https://myurl.com
https://myurl.com/
https://myurl.com/idp
https://myurl.com/idp/
https://myurl.com/idp/logout
None seem to work.
Currently I'm trying to get Salesforce to hook up with an ADFS cluster. I have it working, but I notice when users go to their bookmarked Salesforce pages without first logging in to ADFS (that are saved past the login point of their journey through the site) they receive a general ADFS error
An error occurred. Contact your administrator for more information.
I think this error is expected since they aren't authenticated with ADFS yet.
However, when they receive this error, is there a way to have them automatically be redirected to the login page on ADFS to log into Salesforce? I want to enhance their experience so they don't see errors so much.
ADFS is on Server 2012 R2.
I fixed this by ensuring the Salesforce custom domain was published to all users and that bookmark settings were properly set.
https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_testing_and_rollout.htm&language=en_US
https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_login_id_prov.htm&language=en_US
I'm currently making tests with the CAS server 3.5.2 and I'm facing
problems with the logout.
My knowledge in these topics is limited and I don't manage to go further on
that point.
I installed a CAS server and I've got 2 instances of the same java
application that point to that CAS server (appologize if I don't use the
adecuates terms).
So, when I access to the protected resources of my client aplication, I'm
redirected to the CAS login page, I check in my DB if credentials are ok
and then I access the resource. Then, if I access to the same protected
resource from the second instance of the client application I'm not
redirected to login page. That's perfect.
The problem is situated in the logout. To do so, I first execute a
session.invalidate() and access to the CAS logout page. It's ok because,
from the application from which I logged out, I must login again to access
the protected resources. On the other side, the second application remains
connected and I can access the protected resources without login again.
Well, I know that the session.invalidate() is local to the first
application but I thought that CAS server would have "broadcasted" the
desconnexion to the other application but no.
Is there somebody who can give me experience feedback for the single sing
out topic ?
First make sure that SSO is enabled in the CAS properties file, if not make sure the SSO Listener is enabled in the clients.
If they are enabled then my guess would be the issue is in either the LogoutManagerImpl.java or SamlCompliantLogoutMessageCreator.java files.
The SSO in CAS is performed through the back-channel by transmitting a SAML XML message.
I had an issue with the SSO function last year only to find out that the XML message being broadcasted had an error that prevented it from being parsed.
Finally I solved...
In web.xml, the order of filters is important. Filters for Single-sign out must be placed at the begining.
See that section https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters
We have ServiceNow among other applications configured in ADFS for SSO, ServiceNow is the only app using SP Initiated signon however.
Sometimes when you log out, it behaves as it should and goes to https://adfs.example.com.au/adfs/ls/?wa=wsignout1.0 and tells you that you are signed out but sometimes instead of going to the signed out page you just get redirected back to ServiceNow, (you can see another SAML request happening and it lets you in) and your session is still logged in. Obviously this represents a security issue! The User logs out then leaves the machine without looking and the session is still open!
Anyone come across this before? It seems SP Initiated Sign On is buggy and I need to fix these log out issues for security reasons.
The wa=wsignout1.0 is intended to use for wsfed applications. servicenow as a SAML2 app should be sending a properly constructed samlp:logoutrequest to the /adfs/ls endpoint to do a signout properly.
I have seen a similar post but that was more related to ASP. I will explain my situation below.
I am developing a SP(Relying Party) and integrating with ADFS (IDP). Since I am in the integration phase, I want ADFS to forget that I have previously authenticated so that each time I hit the ADFS endpoint (/adfs/ls) with AuthnRequest, I want it to ask for my credentials.
I believe ADFS by default, remembers clients by their remote IP/host name so clearing cookies on client machine does not help. There was a post that gave a link to logout from IDP (https:///adfs/ls/?wa=wsignout1.0&wreply=https:///adfs/ls/?wa=wsignoutcleanup1.0). The ADFS says I have been logged out but when I hit ADFS endpoint, ADFS redirects back to SP with successful AuthResponse.
Can you please tell me how to force reauthenticate/logout on ADFS or point me to the right articles?
The FederatedPassiveSignInStatus control (which should be part of VS if you've installed all the WIF stuff) will help you. Add it to your app. and clicking it will log you out of everything.
Also AD FS: How to Invoke a WS-Federation Sign-Out
Add wfresh=0 as a URL parameter.
This parameter indicates "freshness requirements".
According to the spec:
If specified, this indicates the desired maximum age of authentication specified in minutes.