ComponentSpace

Forums



Pass user token and validate again Identity provider


Pass user token and validate again Identity provider

Author
Message
aconstante
aconstante
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 53
Hi all,

I implement the Example Service Provider using:

SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);

and

SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl);

and works fine, but I need other scene.

I need to pass a user token (or receive) and validate again the Identity provider?

Questions:
1-how I can get the user token to send?
2-how can I pass that user token to the identity provider to validate?

Best regards,
Anibal.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Anibal
Having the service provider pass information about the user, including their credentials, to the identity provider is not supported by the SAML specification.
If you did want to do this, you would have to look at a non-standard proprietary solution and then you run into compatibility issues.
What scenario are you trying to implement?

Regards
ComponentSpace Development
aconstante
aconstante
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 53
ComponentSpace - 12/20/2016
Hi Anibal
Having the service provider pass information about the user, including their credentials, to the identity provider is not supported by the SAML specification.
If you did want to do this, you would have to look at a non-standard proprietary solution and then you run into compatibility issues.
What scenario are you trying to implement?

Hello,

My scenario is this:

The user try to access to a resource, the application (service provider) redirect to the identity provider using: SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);. then the user login and the identity provider redirect to the assertion page and the SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl); is call and I store the user attribute in the session. That work fine.

My question is that once I get the user attribute store in the session how can I validate that the user is still logged using the user attribute again the identity provider in other page of the service provider? just to check if the session is not expire in the identity provider?

Best regards,
Anibal.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Anibal
The two authentication sessions (one at the IdP and one at the SP) are independent of each other.
Once SSO has completed, you will have two separate and independent sessions (eg different authentication cookies).
The SAML specification doesn't include a mechanism for checking if the user is still logged in at the IdP.
Generally this isn't required and it's better to keep these sessions independent.
If the SP session expires and you need to initiate SSO, either the IdP session is still current or it's expired.
If the IdP session is still current then no login will occur at the IdP and it will return a SAML response and assertion that may be used to establish a new session at the SP.
If the IdP sesson has expired then the user will be prompted to login at the IdP before a SAML response and assertion are returned.
If the user is active on the SP site rather than the IdP site, the IdP session could very well expire.
However, typically you don't want the SP session to expire in this case.

Regards
ComponentSpace Development
aconstante
aconstante
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 53
ComponentSpace - 1/3/2017
Hi Anibal
The two authentication sessions (one at the IdP and one at the SP) are independent of each other.
Once SSO has completed, you will have two separate and independent sessions (eg different authentication cookies).
The SAML specification doesn't include a mechanism for checking if the user is still logged in at the IdP.
Generally this isn't required and it's better to keep these sessions independent.
If the SP session expires and you need to initiate SSO, either the IdP session is still current or it's expired.
If the IdP session is still current then no login will occur at the IdP and it will return a SAML response and assertion that may be used to establish a new session at the SP.
If the IdP sesson has expired then the user will be prompted to login at the IdP before a SAML response and assertion are returned.
If the user is active on the SP site rather than the IdP site, the IdP session could very well expire.
However, typically you don't want the SP session to expire in this case.

Hello,

I have another scenario:

I receive the request using this method: SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl);

How can I get the user token to make a later assertion with it again the IdP?

Best regards,
Anibal.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Anibal
When you say user token, I assume you mean the SAML assertion in the SAML response from the IdP.
Typically, the SAML assertion includes a subject name identifier and optional SAML attributes.
The name identifier is returned as the userName parameter and the SAML attributes as the attributes parameter to SAMLServiceProvider.ReceiveSSO.
If the local session at the SP times out and you have to SSO again, assuming the same user logs in at the IdP, the same userName and attributes should be returned to you.
I may not have understood your question so please ask again if I haven't.

Regards
ComponentSpace Development
aconstante
aconstante
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 53
ComponentSpace - 1/5/2017
Hi Anibal
When you say user token, I assume you mean the SAML assertion in the SAML response from the IdP.
Typically, the SAML assertion includes a subject name identifier and optional SAML attributes.
The name identifier is returned as the userName parameter and the SAML attributes as the attributes parameter to SAMLServiceProvider.ReceiveSSO.
If the local session at the SP times out and you have to SSO again, assuming the same user logs in at the IdP, the same userName and attributes should be returned to you.
I may not have understood your question so please ask again if I haven't.

Hello,

What I mean is if there is a way that once I got the: SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl); I got the userName and attribute, but I need is what and how I verify the userName again the Idp after 10 min, these is to prevent user that have been delete or logout from the IdP from continuing to work. If you get the question please provide some example code, becuase I check the AssertionExample but I can not found anything related with that.

How I verify the user every 10 min?

Best regards,
Anibal.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Anibal
Thank you for the clarification.
This isn't supported by the SAML specification. There isn't a mechanism to be notified or to check if the user has been logged out or deleted from the IdP.
You would need to use a proprietary solution if this is required.
In most scenarios you want the login sessions at the IdP and SP to be independent.
If the login session at the IdP expires then this doesn't have to invalidate the login session at the SP.
Attempting to tie these together would add complexity and I'm not sure if this is worthwhile.
If a user is deleted at the IdP this will be picked up the next time the user attempts to SSO.
You could also look at some sort of provisioning solution to handle users being deleted at the IdP but this is outside the scope of SAML SSO.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search