Handling SP-IDP Session Synchronization with SAML2 SSO

When we are working with SAML2 SSO, one of the common question that is come in to the picture, is that the handling of session time out between SAML2 IDP and multiple SPs. (when single logout is enabled)

Lets try to understand some common problems.

1. Does SP need to send SAML Logout request to IDP when SP’s session is invalidated due to the inactivity of user ?

No, It must not, Because if SAML Logout request is sent by the SP, IDP session is also invalidated. Then IDP will send Logout requests to other authenticated SPs, which can causes to logout the user from the SPs that are currently used.

2. What would be happened, when IDP session is invalidated (due to inactivity in the IDP) ? Does SAML IDP need to send SAML logout to request to SP?

No, IDP must not send. If IDP session is invalidated and If IDP sends Logout requests to authenticated SPs which can cause to logout the user from the SPs that are currently used.

Also, when user is active with even on of the authenticated SPs, It is not acceptable to invalidate the IDP session. If it is invalidated, then user needs to provide credentials to login for new SP again, which would break the seamless SSO.

3. All the SP sessions are invalidated due to the inactivity of user.. How do we invalidate the IDP session ?

Yes.. IDP session must be invalidated. If not, this can cause some security risk for end users.

So, basic idea is that, there must be some synchronization between IDP and SP sessions. How we can achieve it with SAML2 SSO protocol ?

 

SP-IDP session synchronization using SAML2 SSO

 

In, SAML specification has not defined any rules to follow for this.

But there are SAML2 passive request/ Force Auth requests that help to implement session synchronization use cases with IDP and SPs.

Here are some rules…

Rule 1. Given Service Provider only creates a SAML2 Single logout request when only user is clicked on “logout”. When session is invalidated due to the inactivity of user, SP must NOT create a SAML2 Single logout request to IDP.

If “App1” session is invalidated due to the inactivity of user and “App1” does not do any single logout to IDP. Therefore IDP session can remain without any issue. But the “App1” session has been destroyed.

If end user tries to use the “App1” again,

  • “App1” would create a SAML2 Auth request and send to the IDP. As IDP session is already there, user would not see any login page and user would be redirected to “App1”. Then “App1” can creates another session for user.
  • If there is requirement to login again with credentials, “App1” can create a SAML2 Auth request with force auth and send to the IDP. Then user would be promoted for login page.

Rule 2. IDP has a timeout session.. This time out session would be increased with the SAML2 SSO accesses (Actually this is like an inactive time out… But it is not based on the end user and based on the service provider).

Rule 3. Service Providers (“App1” and “App2”) must send “SAML2 SSO Passive requests” to increase the timeout of the IDP. Passive requests must be generated automatically by the SP without knowing to the end user.

As an example, When user is active in the SP Application, Passive requests can be generated in every 15min and sent to IDP to keep the IDP session active. When user is not inactive in the SP Application, Passive requests are not generated by SP. Therefore IDP session would be timeout after the given timeout period. Therefore if “App1” and “App2” are invalidated, IDP session also can be invalidated due to the timeout.  However,  when passive requests are sending,  there would be some distraction for the end user as there is a browser redirect. Therefore we need to handle it properly as well.

But some SAML2 IDP may expose some web service API that can be called by the SPs to increase the inactive time out of the IDP session.  In such cases, SP can call this web service API using the back channel in every 15min (or any) and keep the IDP session alive.  This would be much better approach rather than using SAML2 Passive request (as there is a distraction for end user)

 

If there any further suggestion, Please let me know by commenting below. Thanks a lot for reading this..

Discuss this article on Stack Overflow

Comments

  1. Please note that Passive SAML2 Auth request, is same as the normal SAML2 Auth request except on different. Passive request contains an attribute in the AuthRequest called “IsPassive” which must be set to “true”.

  2. Because not all IDP servers have a web service to extend the session timeout. A workaround to overcome this short comming is a hidden request to the IDP via javascript to extend the session time.

    1. If Suppose IDP session timeout is 40 minutes, SP session timeout is 60 minutes. There is only activity at front channel at SP but no back end channel activity. Then after 40 minutes,IDP session timeout will occur. How can i increase that timeout?

    2. If Suppose IDP session timeout is 40 minutes, SP session timeout is 60 minutes. There is only activity at front channel at SP but no back end channel activity. Then after 40 minutes,IDP session timeout will occur. How can i increase that timeout?

    3. If Suppose IDP session timeout is 40 minutes, SP session timeout is 60 minutes. There is only activity at front channel at SP but no back end channel activity. Then after 40 minutes,IDP session timeout will occur. How can i increase that timeout?

    4. If Suppose IDP session timeout is 40 minutes, SP session timeout is 60 minutes. There is only activity at front channel at SP but no back end channel activity. Then after 40 minutes,IDP session timeout will occur. How can i increase that timeout?

  3. Hi Pieter,

    Can you please explain how this can be done through Java script? I have simmillar requirement to keep the session alive for long so that there is not timeout.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *