I have a question regarding SAML 2.0 and SLO.
During SLO, as an Idp we're initiating the logout and sending a logout request to SP and SP is sending back a logout response. We're getting a partial logout on the IDP side and the user is getting logged out on the IDP side, however if I go back to SP site, I am still logged in.
Is this an issue on the IdP side or the SP side? By that I mean should SP terminate the session and send logout response to IDP or is the IdP's job to terminate the sessions on both side?
Thanks
The SP session is the responsibility of the SP. They should kill their session before returning the LogoutResponse to the IdP.
Related
I have setup two SPs(service provider) with ADFS server.
Currently I can logout well in each SP. However I would like to implement that once the IdP receives logout request, it will invalidate the login session from all the SPs.
Could it be achieve?
NOTE : I am implementing with SAML 2.0 and ADFS(3.0)
I currently maintain an in-house SAML IDP written utilising LightSaml. This has served the company well for the last 2 years working with SP initiated SSO. I have recently been tasked with implementing IDP initiated SSO and I'm not able to work out how the user is automatically redirected to the desired protected page once they're authenticated.
In SP initiated SSO, the user starts at the page they want, therefore the SP knows where they want to end up after being authenticated. So in this case, the SP handles the final redirection.
In IDP initiated SSO, the SP doesn't actually know what protected page the user wants, so could someone explain what happens after the IDP sends the auth response to the SP?
Thanks in advance.
In IdP-initiated SSO, along with the SAML response, the IdP can send relay state. This relay state is the URL the SP should redirect to once SSO completes. If no relay state is sent, the SP will most likely redirect to some default page.
A typical scenario is that the IdP has a portal page with one or more links representing different pages at the SP. If the user clicks link #1, the IdP initiates SSO to the SP and sets the relay state to the page #1 URL. If the user clicks link #2, the IdP initiates SSO to the SP and sets the relay state to the page #2 URL.
In SAML, if the SP sends a RelayState parameter during an SP-initiated SSO login, the IdP (OneLogin) should send the RelayState back exactly as the SP sent it. This can be used to navigate to a particular page, etc.
However, OneLogin doesn't seem to be sending it back. When configuring a OneLogin app, the configuration has a field called RelayState. I've never needed it before now so I've left that empty thinking it's is the 'default' RelayState in case the SP doesn't send one or in case its a IdP initiated login but this doesn't seem to be the case.
Is there a way to get OneLogin to send back the RelayState the SP sent during an SP-initiated login? Do I need to add some variable/tag in this RelayState app configuration field? As an aside, even if I put something random in the RelayState field OneLogin is not getting sent to the SP even on an IdP initiated login (so maybe I need to turn it on somewhere I'm not seeing).
I tested here using our SP application and OneLogin without any issues. The relay state included with the SAML authn request was returned by OneLogin with the SAML response.
My understanding is that the relay state that can be configured in OneLogin is for IdP-initiated SSO only. I've left this blank. There was no special setting required in OneLogin to get it to correctly return the relay state as part of SP-initiated SSO.
Are you sending the authn request using HTTP-Redirect or HTTP-Post?
Either should work. I suggest double checking the RelayState parameter is included correctly with the authn request.
My customers land on my ADFS IDP-initiated login page. They get authenticated and redirected to SP. Everything looks nice. But I have a few extra users that are not part of idP database (AD domain). I would like to authenticate them locally in my SP but they are never redirected there. They get stuck in ADFS with "wrong username/password".
Is it possible to send SAML message with some "user not found" message to SP ?
I'm using ADFS 3.0
Thank you very much for all ideas and suggestions.
No - that's not the way most IDP work.
You can't leave the login page until you are authenticated.
What you can do is add another IDP for your other users e.g. Identity Server 3 and then federate it with ADFS.
When the user is viewing the SP and he clicks the "Login" button, a popup pointing to the IDP's login form is opened. After the user provides their username/password and submits the login form within the popup, assuming the credentials are valid, how can I get the SAML assertion generated by the IDP back to the SP. Can I use window.postMessage?
The response (including the SAML assertion) of the IDP will be send to the Assertion Consumer Service URL of your SP. At this point you can do everything you want with it and assuming the SAML assertion is correct, create an authenticated login session at the SP level.
Depending on your use case you could now exit the popup and refresh (maybe partially) the parent window so it will pick up the logged in user. You could use the windows.opener object to call a function on the parent window. The main use of window.postMessage is to send data between window/frames across domains. But because your a receiving the response on a SP URL you should not need this.
Based on your story I am wondering if your are doing an SP initiated SSO by sending an AuthnRequest to the IDP?