2 Replies Latest reply on Dec 1, 2010 5:20 PM by Jean Luc

    Can PicketLink refresh the IDP session periodically?

    Jean Luc Apprentice

      Hi (Marcel ),

       

      Another day, another question. Is it possible for PicketLink to tell the IDP periodically to refresh the session?

       

      The reason I'm asking is that in my observations, after the login phase, there is no more communication between the SP and the IDP. As such, the IDP doesn't know the session is still being used actively.

       

      Is that something you need to configure to achieve that? (I'm using OpenAM/OpenSSO, in case it makes a difference). I thought this would be the default behaviour, but after I watched the traffic with a sniffer, I see no more communication after the login.

       

      Thanks,

      JL

        • 1. Re: Can PicketLink refresh the IDP session periodically?
          Marcel Kolsteren Apprentice

          Hi Jean Luc,

           

          No, as far as I know there is no support in SAMLv2 for this, and thus also no support for it in PicketLink. In one of the SAMLv2 specification documents, called "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", section 4.1.4.3 (<Response> Message Processing Rules) there is a paragraph which might be interesting for you:

           

          If an <AuthnStatement> used to establish a security context for the principal contains a SessionNotOnOrAfter attribute, the security context SHOULD be discarded once this time is reached, unless the service provider reestablishes the principal's identity by repeating the use of this profile.

           

          This section gives some requirements and recommendations related to how a service provider should process the authentication response that comes back from the IDP. In this case (because of the SHOULD instead of MUST) it's a recommendation. PicketLink currently does nothing with that recommendation.


          You can read between the lines that the service provider is responsible for re-authenticating as soon as the session of the user times out. The IDP can only give a hint of when the session needs to be refreshed.


          Implementing an automatic refresh in PicketLink is not straightforward. For refreshing the session, PicketLink needs to be "in control" of the browser of the user, because communication with the IDP can only take place indirectly through the browser of the user. So PicketLink needs to sense that a servlet session timeout has taken place, and take care of the refresh at that time. After handling the refresh, it should redirect back again to the correct page in the application. Normally, you would handle the ViewExpiredException in your pages.xml, redirecting to your login page. But that only works if you have a login page where the user needs to select her preferred IDP. If you have a default IDP that handles all logins, you probably don't have a login page. In that case you can redirect to a page that calls externalAuthenticator.samlSignOn(). Just regard this as some hints, I didn't try or test this.

          • 2. Re: Can PicketLink refresh the IDP session periodically?
            Jean Luc Apprentice

            Thanks for the detailed (as usual) answer. We'll look into a periodic refresh from the browser.