SAML flow within MFA flow - possible c14n problem

John Watt John.Watt at glasgow.ac.uk
Tue Sep 13 15:33:32 UTC 2022 

> Most people proxying don't use the IdP's sessions, but if they're in use, there are no differences between any of the login flows in that respect, reuse is up to the relevant lifetime and your reuseCondition (if set).

Thanks Scott, from this I assume that (in the SAML flow in isolation, no MFA flow calling it) there is also nothing stopping a new result from being loaded into a new session in the user's browser after the old one expires? (as it does in Password flow).

I can't see why this SAML flow can't load a new session/result after the first one expires, so unless I can find something outside the IdP causing this I may need to rethink the way the subsequent MFA orchestrator flow works based on these sessions not being available..

Out of interest, is there a way to set an individual flow to have no lifetime or timeout in its own properties? Or does this rejection of idp sessions need to be set globally in the idp.session.enabled?

Thanks again,
John
________________________________
From: Cantor, Scott <cantor.2 at osu.edu>
Sent: 13 September 2022 15:30
To: Shib Users <users at shibboleth.net>
Cc: John Watt <John.Watt at glasgow.ac.uk>
Subject: Re: SAML flow within MFA flow - possible c14n problem

Most people proxying don't use the IdP's sessions, but if they're in use, there are no differences between any of the login flows in that respect, reuse is up to the relevant lifetime and your reuseCondition (if set).

However, the MFA flow by design can't apply timeouts on the individual results, as noted in the documentation (under Single Sign-On / Reuse By the
MFA Flow).

"Note that one feature the MFA flow does not have is individual timeouts. For various reasons, it was not practical to maintain an activity timeout on the individual results within the MFA flow, and so that check is not done. Using a shorter lifetime generally will compensate for that.

On the other hand, the overall MFA result that contains all of the individual results does have the normal lifetime/timeout policy the IdP supports. You can still time out any memory of any of the results, just not at a fine-grained level."

-- Scott


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220913/6eaeef89/attachment.htm>

More information about the users mailing list