This case is very much similar to question by Wiktor Zychla, see How to set the timeout properly when federating with the ADFS 2.0
We are experiencing the same behavior, ADFS happily redirects the user back to Sharepoint site and FedAuth cookie is recreated, even though ADFS should prompt for credentials - we want the user to reauthenticate after some period of idle time. Basically it looks like the session is always sliding.
We have disabled persistent cookies, so the FedAuth cookie is removed when session is ended by closing the browser, so the user is forced to reauthenticate after all browser windows are closed and a new session is started, so that works.
As far as I understand the Web SSO lifetime setting in ADFS Snap-in controls the time after which the user should need to re-authenticate on AD FS (enter his credentials again). Tokenlifetime and LogonTokenCacheExpirationWindow together control, when Sharepoint should redirect back to AD FS to in order to renew FedAuth cookie.
Following is a quote from http://msdn.microsoft.com/en-us/library/hh446526.aspx :
To force users to re-enter their credentials whenever they are redirected back to ADFS, you should set the web SSO lifetime in ADFS to be less than or equal to SAMLtokenlifetime minus the value of LogonTokenCacheExpirationWindow.
So, we have done following:
1. Setting the lifetime of SAML token
Add-PSSnapin Microsoft.ADFS.PowerShell
Set-AdfsRelyingPartyTrust –TargetName "[ourrelayingpartytrustreference]" –TokenLifeTime 7
2. Setting LogonTokenCacheExpirationWindow (and disabling persistent cookies)
Add-PSSnapin Microsoft.SharePoint.Powershell -EA 0
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.LogonTokenCacheExpirationWindow = (New-Timespan -Minutes 1)
$sts.Update()
iisreset
3. Adjusted Web SSO lifetime: 5 minutes in AD FS 2.0 Management console snapin (running Get-ADFSProperties in Powershell correctly returns SsoLifetime: 5)
Thus the expected outcome is:
User starts a fresh new session, requests the web site
Browser is redirected to AD FS, user enter credentials, and browser is redirected back to Sharepoint site, FedAuth cookie is generated
User remains idle for 10 minutes (to make sure that session sliding period has passed)
User requests another page in Sharepoint, browser is redirected to AD FS
Since Web SSO lifetime was 5 minutes, and it was, as in msdn documentation instructs, less than SAMLtokenlifetime minus the value
of LogonTokenCacheExpirationWindow (SAMLtokenlifetime -
LogontokenCacheExpirationWindow = 6 minutes), AD FS prompts the user
for credentials, user enters credentials, and browser is redirected
to Sharepoint page requested and FedAuth cookie is recreated.
Current actual behavior (steps 1-4 similar):
(5.) AD FS does not prompt for credentials, browser is redirected to Sharepoint page and FedAuth cookie is recreated.
So - for us it looks like AD FS session never expires, no matter what we do.
If we create a false configuration of setting LogonTokenCacheExpirationWindow value higher than SAMLtokenlifetime (e.g. LogonTokecacheExpirationWindow = 8 and SAMLtokenlifetime = 7), we get the expected behavior of loop between Sharepoint and AD FS.
We are desperately seeking for a solution to properly expire the session, if user has remained idle for some period of time.
We also tried following configuration change (as per the guidance at http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/802b1bb6-cda3-4470-a0d1-ee709d5c4b7c/):
Set-ADFSProperties -SsoLifetime 1
Set-ADFSProperties -ReplayCacheExpirationInterval 1
Set-ADFSProperties -SamlMessageDeliveryWindow 1
No Global.asax changes yet made.
As far as I understand, we have configured everything according to the documentation, however we cannot force the user to reauthenticate. Any help pointing out the error in configuration is appreciated.
Apologies if you have already done this, but be sure you have restarted AD FS after making the websso changes. We did not get our expected results until we restarted the services. Also, if you have a proxy, may want to restart that as well.
Do you have any pieces of infrastructure that are rewriting the cookies?
Related
I have got forms authentication working in my website. But one thing I don't understand. I had a test website and a production website, both using identical database and code. When I logged into the test site, then try to go to the production one, I still need to login. Why?
I thought the login mechanism is this:
After user password is checked fine, the server insert a FormsAuthenticationTicket cookie into client's browser.
When browser attempt to go to a page that requires login, the server checks that cookie. If it is there, then it sends that page.
If my test site has placed that cookie into the browser, now that browser goes to the production site, how did the production site know "I didn't place this cookie and therefore I still require you to login"?
I found out. Because the authentication cookie is only visible to the website that inserted it. A cookie inserted by "www.mysite.com" is invisible to "www.othersite.com".
I'm using adal.js on my react app (using react-adal wrapper). I configured my app to work with my ADFS 2016 server (on premise), and the authentication process works fine, but after the ADFS SSO cookie expired, when the client sends the renew token request (in an hidden iframe), the browser shows in the console the following error: refuse to display 'https://myadfs/adfs/ls/SAMLRequest=...' in a new frame because it set 'X-frame-options' to deny.
In order to reauthenticate, the user needs to refresh the page (F5).
Is there any solution / workaround to this problem?
ADFS <= 2016 does not allow iFrame based logins for any interactive authentication for security reasons. This would have worked if the user did not need to perform an interactive sign-in (either SSO cookie or WIA).
The right pattern (since you are on 2016) is to use OIDC flows to log into the application and use the refresh token to get new access tokens.
Even here you need to handle the refresh token expired case where you will need to store your app context locally (cookie or local cache) and enable a full redirect to ADFS.
ADFS 2019 now has the option where an admin can configure options for which host(s) they allow iFrames by controlling the headers.
Thanks //Sam (Twitter: #MrADFS)
Like I explained in this similar question, the commandlet "Set-AdfsResponseHeaders" is also supported on ADFS 2016 since a recent MS update (about May 2019) :
Set-AdfsResponseHeaders -RemoveHeaders "X-Frame-Options"
Howeber, I agree with SamuelD MSFT on the fact that it's not a good practice any more to use iFrame integration nowadays.
We are trying to build OAuth2 Authorization with IdentityServer3.
So we downloaded the Bytes from nuget and connected it with our database.
The database was initialized with the default scopes and the sample clients from Thinktecture self.
Then we connected AD FS as IDP via OWIN and made an simple ExternalUserService.
So far everything worked fine and the permissions page of the IdSrv could be opened, showing the username and that no application has consent up to now.
Then we tried to connect Xamarin.Auth to that and got an error Cannot determine application to sign in to and in the logs an error Signin Id not present (after logon at the ADFS IDP).
To reduce complexity, we decided to go back to the InMemoryUserService and created one InMemoryUser. This worked for the permissions page (at least for a short period of time - time is over now), but it did not allow OAuth2 Authorization Code Flow, which ended up in showing the login page again and again and again. And there is no evidence of any error in the logs.
How can we debug, what is happening? Is there any way to see, why a user gets redirected to the login page again despite being logged in?
--
We reduced the complexity even further by creating a new empty MVC application, which just uses a simple InMemoryUserFactory.
Now it's getting a little bit confusing: one user was able to logon from his machine - other machines (same user - since we created only one) are not able to login and get prompted with the login over and over again.
If using IdentityServer3 and you use own external login methods you should really pay close attention to the API of the IdSrv3.
We tried to create a login resutl with just the subject - this is made for local login on the server. If this is switched off at the same time, you will end up having problems.
So if you use an own external login provider and switch off local login, make sure to call the right overload for the authenticate method (3 Parameters in our case).
I have started maintain a number of websites that are all authenticated using openam SSO. However when one of our users sets a persistant cookie (DProPCookie) it doesn't always work.
Repro scenario is:
Login to openam, setting the persistant cookie
Restart browser (to clear session cookies)
Go to site A, user is logged in automatically because of persistant cookie
Go to site B, user is presented a login page (they should be automatically logged in).
After step 3, if I delete the iPlanetDirectoryPro cookie from my browser I can login to site B fine (using the persistant cookie). It seems that the iPlanetDirectoryPro cookie generated from Site A when the DProPCookie is set doesn't work on Site B.
Note that I have tried with various permutations of Site A and B and the scenario is the same in each case.
I'm quite new to openam so any hints as to how to debug this would be great or if I'm missing something obviously going wrong please do let me know.
Thanks in advance.
EDIT:
I have subsequently discovered that the iPlanetDirectoryPro cookie returned when authenticating using the DProPCookie isn't working. So thus has nothing to do with cross domain.
Login to openam, setting the persistant cookie
Restart browser (to clear session cookies)
Go to site A, user is logged in automatically because of persistant cookie
Delete all cookies except iPlanetDirectoryPro cookie
Refresh page - asked to login
If I repeat the test but with the iPlanetDirectoryPro cookie generated by a normal login then when I refresh the page, I automatically get authenticated. (I have changed the title of the question to reflect this).
FURTHER EDIT:
Turned up debugging - am seeing this exception in the logs:
IdName is :null
amAuth:11/28/2012 05:11:25:750 PM GMT: Thread[TP-Processor2,5,main]
orgName is :xxx
amAuth:11/28/2012 05:11:25:750 PM GMT: Thread[TP-Processor2,5,main]
AuthD.getIdentity() from IdUtils Name: null Org: xxx
amAuth:11/28/2012 05:11:25:750 PM GMT: Thread[TP-Processor2,5,main]
AuthD.getIdentity: Got IdRepoException while getting Identity from IdUtils: Illegal universal identifier null.
amAuth:11/28/2012 05:11:25:750 PM GMT: Thread[TP-Processor2,5,main]
isLockedOut:Exception :
java.lang.NullPointerException
at com.sun.identity.idm.server.IdCachedServicesImpl.search(IdCachedServicesImpl.java:585)
at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:296)
at com.sun.identity.authentication.service.AuthD.getIdentity(AuthD.java:1453)
at com.sun.identity.authentication.service.AMAccountLockout.isMemoryLockout(AMAccountLockout.java:297)
at com.sun.identity.authentication.service.AMAccountLockout.isLockedOut(AMAccountLockout.java:281)
at com.sun.identity.authentication.service.AMAccountLockout.isLockedOut(AMAccountLockout.java:264)
at com.sun.identity.authentication.service.AMLoginContext.processPCookieMode(AMLoginContext.java:1919)
at com.sun.identity.authentication.service.AMLoginContext.processIndexType(AMLoginContext.java:1846)
A quick scan through the openam code - it appears that we are not getting a username here in AMAccountLockout.java:264:
public boolean isLockedOut() {
// has this user been locked out.
String userDN = loginState.getUserToken();
return isLockedOut(userDN);
}
Persistent Cookie mode has changed in OpenAM ... DProCookie is actually not used anymore.
Posssibly you're running 'restricted token mode' AKA 'cookie anti-hijack mode' and CDCServlet does not issue a proper authentication assertion
Could be that you are running into https://bugster.forgerock.org/jira/browse/OPENAM-1002 ?
Also it could be a problem with your cookie domains, maybe site B redirects to a different domain where DProPCookie is not visible?
Ultimately we discovered that the problem was that the SSO cookie generated by the persistant cookie had no authention modules - and therefore the authentication level was set to Integer.MIN_VALUE;.
In our situation we made a slightly hacky fix to force this to be 0 instead, which fixes up the problem.
I presume the correct thing to do would be to either have a seperate authentication module for persistant cookie logins or to store the authenticating module in the SSO cookie generated by the Persistant cookie.
I'm building a central authentication service(auth.xyz.com), similar to what Google has on accounts.google.com. I have multiple applications, each running on a different subdomain(app1.xyz.com, app2.xyz.com) which will be integrating with my auth service.
I am currently following a cookie based system, written on ".xyz.com" domain, so that it is readable by all the subdomains.
My problem is that I cant figure how to handle the cookie expiry. If the user logs in at time t, and spends 45 mins on app1.xyz.com, and then goes to app2.xyz.com, I dont want him to have to login again. Also, if the user logs in on app1.xyz.com and is then idle for 45 mins, and then hits app2.xyz.com, I want him to have to relogin. How can I achieve this?
I dont want to touch the auth server on every request I get on app1 or app2.
I do not think that is really possible.If that is the case, there will be a security hole in the entire flows of the applications.An cookie expired user can still access the resources on server app1 and app2 without authentication or some other trusted mechanism!.