Is there a way to revoke/invalidate a user's CAS session from a client application without the user visiting the CAS server's logout page?
The situation is that a user could be accessing 1-n services that all authenticate off the CAS server. One of those client services is in charge of user accounts, and sometimes needs to terminate an account. If that user is logged in to 1-n other services, those sessions need to be immediately destroyed. Normally this is accomplished by the user clicking "logout", but if the user isn't present, that's not possible.
I think you have to check regularly if the ticket has expired or not.
Check this subject
CAS and Spring-Security: regularly check if a ticket has expired
Related
(Background: I am trying to use my website hosted on wix as a simple identity provider so my members can access a separate sveltekit app I am creating--without logging in again--on a separate server because I do not think I can create the app on the wix platform. Basically I just need the user id, but I would like to also ensure they are in fact authenticated on my Wix hosted site before granting access).
In multiple pages explaining single sign on, it is explained that when my browser requests a protected resource from a web server, the server can (if it is configured to do so) verify my identity via a separate identity provider. This is done via a redirect to the identify provider. If I am not authenticated by the identify provider, I am asked to authenticate (by entering username and password, or whatever).
Once I am authenticated (by logging in or by verifying the presence of a valid session id on the identify provider's server from a prior login), the identify provider then "redirects with token" or a "token can be passed to the original domain by a redirect" according to these web sites I have encountered.
But what does it mean to "redirect with token"? This conflicts with other reading I have done which points out that redirects cannot have authentication or other headers or data associated with them.
How does it come to pass that (1) the web server I made my original request from gets my token from the identify provider while at the same time (2) returning my requested resource to my browser instead of back to the identity provider's server?
"Redirect with token" is a common method used in single sign-on (SSO) systems to authenticate users. In this method, when a user tries to access a protected resource on a server, the server redirects the user's browser to the SSO login page, along with a token that identifies the resource being accessed and the server that is requesting authentication.
The user then enters their login credentials on the SSO login page. If the credentials are correct, the SSO system authenticates the user and sends them back to the original server, along with a token that indicates that the user has been authenticated. The server checks the token to confirm that the user has been authenticated, and if the token is valid, the user is granted access to the protected resource.
Redirecting with a token is a secure and efficient way to authenticate users across multiple servers, as it allows the servers to rely on the SSO system to authenticate users and eliminates the need for each server to store and manage its own set of login credentials.
I have a problem as below::
I have the application A(A is Java web application). The app A using sale the GUN for the customer.
In-App A, The user has a role:
-S(Salesperson): This is the normal user.
M(Manager): Allow the user approve when Salesperson transfer GUN to customer.
App A is deployed on Weblogic 12C.
On Weblogic, I am using SMALL to integrate with ADFS (ADFS: Active Directory Federation Services)
In the first time, the Salesperson access to application A. Weblogic is redirecting to the login page of ADFS.
After login success, Weblogic will redirect to A application.
The app A is login success.
Continue, Salesperson is transfer GUN for the customer. When Salesperson is transferring, I need to the manager to approve.
Therefore, I need to display the login form to the Manager login.
After Manager login success, if the user has a role is M, the sale person can transfer the gun for the customer. Else, I have a display error message.
My Problem:
Step 6: How can I display the login page of ADFS?
Step 7: How can I check the role of the user after login success?
Can you help me out? Thank you so much!
If you only have one application, you can't do this.
Only one person can be logged in at a time.
After that, the cookie says the user is authenticated so you don't get another login screen.
Run the application in two different browsers.
Then when the manager opens his browser, he will be asked to login.
Update
Each application is a relying party (RP) in ADFS. Each RP has its own set of cookies so they don't clash.
So configure e.g. two RP in ADFS, one for each application.
I am implementing a SSO using SimpleSAMLPhp Service Provider.
I provided my metadata to remote Shibboleth Identity Provider and was provided a test account.
When a user visits a specific page on my SP, they get redirected to the IdP, login, and are redirected back to my web site with a bunch of IdP provided attributes. This part works.
This part I am struggling with.
If the user authenticates with the same IdP through a different Service Provider and then visits my page, how do I know they are already authenticated? Currently I am being asked to login again.
Is there a configuration value somewhere that lets me do this? Or am I using the wrong method? This is what I am doing.
$as = new SimpleSAML_Auth_Simple({REMOTE_AUTHSOURCE});
$as->requireAuth(); // this redirects to remote IdP login
$attributes = $as->getAttributes();
Thanks.
There are two separate authentication sessions to consider. One session is in you app and the other is at the IdP. The requireAuth method can tell if the user already has an authenticated session in your application, and will return immediately in that case.
There is no way for you to tell if a browser has a session at the IdP. You just call requireAuth whichs send the user there and if the IdP decides the user's session is still valid it will respond without prompting for login.
Are you saying that the user has a valid session at the IdP and they are being re-prompted to authenticate when you send the user there? That could be due to IdP policy, or if your app was sending something like 'forceAuth' in its AuthnRequest.
I am integrating against a CAS server. User logs into there, gets forwarded to a script which does the CAS validation, gets the User and logs them in. This all works fine.
Part of the spec for the integration is to ensure we ping the CAS server every 60 seconds, to ensure the user does not get logged out at the 'parent' CAS server, as they are still active.
Is there something built into the CAS setup for this purpose? I've been looking through the CAS documentation and the phpCAS client to no avail. There's a renewAuthentication method but it causes the user to have to login again when called. Perhaps this is just a configuraton issue at the server side though?
There is no way for you to ping the CAS server on behalf of the user as your application should not have access to the token identifying the user's session. The default policies automatically extend the user's single sign on session every time the user requests a new service ticket from the CAS server.
However, if you do have the TGT (which you really, really, really should avoid), you can basically request a service ticket for the user, and that would extend the life of the single sign on session (though if you did this, you would not need to do it every 60 seconds, as that's rather extreme).
Is it possible to have multiple concurrent OAuth authorized connections from a single user ID to a single application?
ex. User ID abc#company.com authorizes access to application XYZ (via Step 2 of https://ipp.developer.intuit.com/0010_Intuit_Partner_Platform/0025_Intuit_Anywhere). The action is performed again where the user authorizes access to application XYZ. Both tokens captured remain valid for use in the future.
Currently, a subsequent OAuth authorization invalidates the token from a previous OAuth authorization.
The connection is between the data in the cloud (realm) and the application, and there can only be one per realm. If the same user tries to authorize, the Company will not show up in the selection screen as it has already been chosen.
If another user from the same company tries to do it they will get an error that the company is already connected.
It's not a technical limitation its how the connections are billed. You would not want multiple connections to the same realm from a billing pov.
If you can tell me what your use case is, I can point you in the right direction as I am not sure why you would want multiple Oauth connections to the same data set.
thanks
Jarred