Geek Answers Handbook

How can I update SAML approval information from a WSO2 authentication server?

I am creating SAML 2.0 based authentication for a web application. Authentication is performed on the WSO2 Identity Server (WSO2-IS). I managed to get the actual authentication using HTTP redirect. However, now I am having problems trying to β€œupdate” authentication information from the identity server.

The problem is that claims returned by WSO2-IS have a lifespan of only 5 minutes. Therefore, based on this, I should get a new approval from WSO2-IS every 5 minutes. However, I did not find another way to do this against WSO2-IS than to do another round of redirection. Redirecting a user to another location every five minutes is not very convenient.

SAML 2.0 specifies an AuthnQuery query that must be executed using SOAP over HTTP. If I understood correctly, AuthnQuery will be exactly what I need to re-request approval information for the user, but it seems to me that WSO2-IS does not support this query.

So the question is, how can I update (or re-request) the approval information from the WSO2 Identity Server without having to redirect the user from the page they are currently accessing?

+4
source share
2 answers

The answer can be found in the SAML proile specification in the SSO profile of the web browser β†’ Rules for using and processing messages.

The bearer element described above MUST contain an element containing the Recipient attribute containing the service provider approval service URL and the NotOnOrAfter attribute that restricts the window during which the statement can be delivered

NotOnOrAfter is the time when the message should be delivered.

What you should consider is the SessionNotOnOrAfter attribute in AuthnStatement , if present.

If used to establish a security context for main that contains the SessionNotOnOrAfter attribute, the security context MUST be dropped if this time is reached, if only the service provider restores the basic identity by repeating the use of this profile.

SAML Profile Specification

+1
source

I'm not sure if you can use this anyway. This is from the SAML specification.

The message element is used to create the query "What claims containing authentication claims are available for this subject?" A success will contain one or more claims containing authentication claims.

The message SHOULD NOT be used as a request for a new authentication using the credentials specified in the request. a request for declarations of authentication actions that occurred in a previous interaction between the specified entity and the authentication authority.

You are talking about a NotOnOrAfter exception on a statement, right? As far as I understand, this is simply because you can no longer trust this message. I read it before you finish, you can consider the user authenticated. This is typical for preventing re-attacks.

0
source

More articles:


All Articles