Forced reauthentication
Jesse Santana
Jesse.Santana at csulb.edu
Thu Aug 14 19:31:31 EDT 2014
Apologies - message got sent out before being completed.
How would I go about destroying the SP session cookie?
Jesse Santana
Interim Director - Servers, Systems, and Websites
CSU Long Beach - Network Services
1250 Bellflower Blvd.
Long Beach, CA 90840
(562)985-8511
-----Original Message-----
From: Jesse Santana
Sent: Thursday, August 14, 2014 4:30 PM
To: Shib Users
Subject: RE: Forced reauthentication
The entire log entry looks like this:
2014-08-14 16:27:53 INFO Shibboleth-TRANSACTION [3]: New session (ID: _e334e3c4ba1911df55847a371825edec) with (applicationId: default) for principal from (IdP: http://www.okta.com/kv79fg77CWVTMIVZXMLF) at (ClientAddress: 134.139.2.14) with (NameIdentifier: 000020564) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: id37166912858056794557589990)
Which does get updated when I go to the application again:
2014-08-14 16:29:11 INFO Shibboleth-TRANSACTION [5]: New session (ID: _e3f18b546f6524bb64232d748c9d62ca) with (applicationId: default) for principal from (IdP: http://www.okta.com/kv79fg77CWVTMIVZXMLF) at (ClientAddress: 134.139.2.14) with (NameIdentifier: 000020564) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: id377649452240692491450287841)
Jesse Santana
Interim Director - Servers, Systems, and Websites CSU Long Beach - Network Services
1250 Bellflower Blvd.
Long Beach, CA 90840
(562)985-8511
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of David Bantz
Sent: Thursday, August 14, 2014 4:24 PM
To: Shib Users
Subject: Re: Forced reauthentication
It doesn't seem the first SP session really ended. I see that you state "the SP logs a new session" but you don't provide the log entry for that, and generally, merely closing the active browser tab does not end the SP session - not in my experience anyway. So opening a new tab/window in the same browser session just continues with the existing session. That of course does not require re-authentication.
If you want to test the re-authentication required after 5 seconds, you'll need to destroy the SP session cookie.
On Thu, 14 Aug 2014, at 14:51 , Jesse Santana <Jesse.Santana at csulb.edu> wrote:
> I'm really hoping to draw from the expertise of this community.
>
> I currently have a Shibboleth IdP running (shibboleth-identityprovider version 2.4.0). The instance is running as expected and releasing attributes to over a dozen SP's that currently use it. I have a new SP I've been asked to introduce to the environment with the requirement that this SP force re-authentication each time it is used. I realize this goes against SSO in general but it is still a requirement I need to try and fill.
>
> I've edit shibboleth2.xml (shibboleth 2.5.3) by adding to my "Sessions" block maxTimeSinceAuthn="5" and to my "SSO " block forceAuthn="true". After restarting my SP, I can login initially and see my session established on the SP:
>
> INFO Shibboleth-TRANSACTION [10]: New session (ID:
> _7e76ca6eda3efe8ec9c547da21828981) with (applicationId: default) for
> principal
>
> And I see the authentication on the IdP:
>
> INFO [Shibboleth-Audit:1028] -
> 20140814T220328Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_9
> 1a4358af7798cc5b9541c2dbcb13825
>
> Along with my release of attributes.
>
> When I close the tab in my browser that this application opened and reconnect to the application again in the same browser session, I can see where the SP logs a new session but the IdP is never contacted again for re-authentication.
>
> What am I missing here? Shouldn't the SP contact the IdP again to re-authenticate and the IdP prompt me for my credentials again?
>
> Thank you all in advance,
>
> Jesse
>
>
> Jesse Santana
> Interim Director - Servers, Systems, and Websites CSU Long Beach -
> Network Services
> 1250 Bellflower Blvd.
> Long Beach, CA 90840
> (562)985-8511
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
More information about the users
mailing list