3 Replies Latest reply on Nov 21, 2011 2:18 PM by Anil Saldanha

    SP Assertion validation between requests

    Pedro Igor Master

      Hi,

       

          The SPPost and SPRedirect valves only check the assertion conditions when the SAMLResponse parameter is passed in the URL. Is this a correct behaviour or even if this parameter is not passed the conditions must be validated ?

       

          To test I used the picketlink-sts.xml configuration file with small values in SAML20AssertionTokenProvider.ASSERTION_VALIDITY(5000) and SAML20AssertionTokenProvider.CLOCK_SKEW(0).

       

      Thanks,

      Pedro Igor

        • 1. Re: SP Assertion validation between requests
          Anil Saldanha Master

          The Assertion is contained in SAMLResponse which is part of the http response from the IDP.  It happens via url for the redirect binding and happens as a form parameter in the post binding.

          • 2. Re: SP Assertion validation between requests
            Pedro Igor Master

            I'm asking this for two reasons:

             

             

                   1) If the user has an active security context in a SP his token will never be validated again for requests sent after the IDP's response (if the SAMLResponse is not propagated between the requests). While user's session is valid he will have access for the SP's resources even with a expired token. I just want to know if this is the expected behaviour ....

             

             

                   2) Supose I have a SP 1 using IDP 1 and SP 2 using IDP 2. I have also configured a trust relationship between both IDP. When the user is authenticated in SP 1 and he wants to access SP 2 the assertion needs to be propagated. Wich is the best way to do that ? Today I'm using the same SAMLResponse returned by the IDP 1 to the SP 1 to call SP 2... Is this a good approach ?

            • 3. Re: SP Assertion validation between requests
              Anil Saldanha Master

              Pedro Igor wrote:

               

              I'm asking this for two reasons:

               

               

                     1) If the user has an active security context in a SP his token will never be validated again for requests sent after the IDP's response (if the SAMLResponse is not propagated between the requests). While user's session is valid he will have access for the SP's resources even with a expired token. I just want to know if this is the expected behaviour ....

              In an ideal world, the session at SP should be equal to the token expiration time. In a practical world, we suggest that the SP administrator should configure the session lengths to what the IDP administrator has given to them (wrt to token expiration).

               

              2) Supose I have a SP 1 using IDP 1 and SP 2 using IDP 2. I have also configured a trust relationship between both IDP. When the user is authenticated in SP 1 and he wants to access SP 2 the assertion needs to be propagated. Wich is the best way to do that ? Today I'm using the same SAMLResponse returned by the IDP 1 to the SP 1 to call SP 2... Is this a good approach ?

              It is not clearly defined how the trust relationship between IDP1 and IDP2 is defined from a token perspective.  So when the SP2 gets a token issued by IDP1, it needs to validate it with IDP2 via back channel calls (SOAP profile maybe). IDP2 decides whether it should approve or not (it may have its own back channel communication with IDP1).  This is an advanced use case which matches the discussion at http://community.jboss.org/thread/174647?tstart=0