I have saml on ADFS. Everything works fine but I have more then one relying party trust. Then when I log in to my one webapp (relying party trust) and log out everything is fine.
But when I log in to first web app and then to second one I can se that on adfs I have cookie: samleSession that combines two sessions and then when I logout from first web app I'm redirected to logout page on second web app and cookies from web site one are not deleted.
Also on ad fs site I can see that there is samllogout cookie. From that moment it is impossible to logoiut from any app.
What am I doing wrong?
Have you configured the logout URL on ADFS for both apps.?
The way it works is single logout.
When it logs you out of one app., you are logged out of all.
When app1 send a logout request, ADFS deletes the cookies and send a logout response to all apps it knows about.
The apps must then delete their local cookies.
Related
We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies.
We found some ways to reproduce this behaviour in dev environment:
Multiple browser tabs:
At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
Then user is redirected to Keycloak and sees the Cookie not found message.
Stale sessions:
User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
Users opens the application again in a moment between Session Idle and Session Max timeouts.
User is redirected to Keycloak and sees the Cookie not found message.
We’ve seen the message in other situations, but we couldn’t consistently reproduce.
While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.
This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.
Any thoughts about this?
I have one java app in which the user logs in. In one functionality of the app, when the user clicks on one button , it will redirect to client website where user has to login in that website. If i want to do the SSO to redirect to the client website without logging in , How can i do that? I don't want to use third party IDP'S(okta, Salesforce, azure) since the user is logging into the java app, so the user is verified, is there anyway i can make the java app as an idp and do the sso by sending saml assertion directly to the client site from the java app ?
You could do this by adding a Java SAML client to your application.
A number of these can act as an IDP as well as a SP (the application).
But this is not recommended since it does not scale.
Rather use an IDP. You get SSO so the user only has to login once.
I have a Spring Security app that uses SAML. It is working fine. I go to a secured page, I get redirected to the IDP, login... success.
Now I want to have the login done "in house" as it were, with no redirection.
I want to have a login page that takes username/pass - then -- well I don't know. :)
Is there anyway to NOT have the user's browser go to the IDP, either POST the form to the IDP and then redirect back to my app?
I read in the documentation about back-channel SOAP calls, and that sounds like exactly what I want, but I can't find anything on it. Does anyone have an example of how this would be achieved?
I have four custom apps (that are SPs), using Auth0 or OneLogin as my IdP. In Auth0 I create a connector for each application. When I login to one application and then open the other application, I get redirected to Auth0 to login again.
Is it possible to log the user into my IdP (or Auth0/OneLogin) automatically on that second app without having to click the login button on Auth0, since they've already authenticated with Auth0?
There is an unfortunate need to embed the second app into the first app and it's a poor UX to have the user login to the first app and then login again in the iFrame.
Auth0 Dev here, Yes this is supported Out of the box in Auth0, for this to work you'd have to turn Use Auth0 as IdP "ON" in your Client. When doing this Auth0 will then remember the client for 10 hours upto 3 days if the client is active.
The flow in your scenario will be
User logs in to any of the application.
User visits the other application.
The other application sees no session.
The other application redirects to /authorize endpoint.
Auth0 notices the session and redirects it back to your application immediately.
This is further detailed and explained at https://auth0.com/docs/sso
SSO is not having to re-enter credentials again but you only get SSO once you redirect to the IDP and you authenticate under the hood i.e. seamlessly.
So you still have to do something to trigger the redirect.
You could programmatically redirect to a dummy page that requires authentication that then redirects via your client stack e.g. OWIN OIDC.
Also, there is no standard for the cookies so you don't get SSO across multiple IDP unless they are federated together.
So if no federation and you login to Auth0, you will still have to login to OneLogin.
I have this GWT application which login/logout to a server.
The server side is ok as it can login/logout a connection.
However I need that when the application login in with a browser, the application will stay logged in for each new instance of the application.
Use cookies on the browser to store login details. When a new tab is opened, and requests the page from the server, the cookies will be passed along automatically and you can log the user in from there.
Make sure you understand the security implications of storing login details in cookies before deploying this strategy!
You could store the information if a user has been successfully authenticated in the http session on the server side and provide a service like
public boolean isAuthenticated();
which checks that property.
Before showing any sensitive information in the client, call that service to make sure, the current user is authenticated. I would recommend not to store login credentials in a cookie.