We are implementing ADFS SSO to our ASP.NET application.
For this we are using SAML 2.0 based ComponentSpace library.
We found out that user is not authenticated again from ADFS server (not logout after certain duration).
Do we have any setting for timeout , if yes how we can use that with SAML?
Do we need to send request (InitiateSSO()) to server in every 5 Mins to validate token?
Please help me in these.
Thanks
Calling InitiateSSO every 5 minutes or so is not required or recommended.
Once SSO occurs between an IdP and SP, the two sites independently maintain their own authentication sessions. Typically this means they have their own authentication cookies with separate timeout values etc. For example, a user’s authentication session may have timed out at the IdP but they remain logged in at the SP.
Depending on the method of authentication, ADFS will logout the user after a period of inactivity. This doesn’t apply for intranet users who use Windows integrated authentication. However, if they used ADFS forms authentication, their authentication session at ADFS will eventually time out and they’ll be required to login again the next time SSO is attempted.
Of course, if the ADFS authentication session hasn’t timed out and SSO is attempted they won’t be prompted to login again.
[quote][/quote]
Calling InitiateSSO every 5 minutes or so is not required or recommended.
Once SSO occurs between an IdP and SP, the two sites independently maintain their own authentication sessions. Typically this means they have their own authentication cookies with separate timeout values etc. For example, a user's authentication session may have timed out at the IdP but they remain logged in at the SP.
Depending on the method of authentication, ADFS will logout the user after a period of inactivity. This doesn't apply for intranet users who use Windows integrated authentication. However, if they used ADFS forms authentication, their authentication session at ADFS will eventually time out and they'll be required to login again the next time SSO is attempted.
Of course, if the ADFS authentication session hasn't timed out and SSO is attempted they won't be prompted to login again.
Once SSO occurs between an IdP and SP, the two sites independently maintain their own authentication sessions. Typically this means they have their own authentication cookies with separate timeout values etc. For example, a user's authentication session may have timed out at the IdP but they remain logged in at the SP.
Depending on the method of authentication, ADFS will logout the user after a period of inactivity. This doesn't apply for intranet users who use Windows integrated authentication. However, if they used ADFS forms authentication, their authentication session at ADFS will eventually time out and they'll be required to login again the next time SSO is attempted.
Of course, if the ADFS authentication session hasn't timed out and SSO is attempted they won't be prompted to login again.
Thanks for your reply.
We are using form Authentication in our ASP.NET application.
According to your below comment "their authentication session at ADFS will eventually time out and they'll be required to login again the next time SSO is attempted." User will be asked to Login again whenever SSO is attemped.
As we are using ComponentSpace high level API , is there any method to check Token validity or attempt SSO without calling InitiateSSO.
I’m afraid the SAML specification doesn’t include a mechanism for checking whether the authentication session at the IdP is still active.
InitiateSSO will send a SAML authn request to the IdP. You could do the same using our SAML low-level API but the result would be the same.
Thanks for the response, we are not looking for SAML api to check whether session is active in the Idp that issued the token.
Our goal was , since Idp has settings such as webSSO timeout and token timeout, when this token was minted at Idp, if Idp injects any of these properties into the token, whter or not SAML api has a way to check if the SAML token recieved and beign used by the SP is still valid (that is the token has elapsed either webSSO timeout or token timeout set at the Idp when it was minted) without a making a roundtrip to Idp ?
Do you have any sample document/examples for low level apis?
The IdP could include this information as SAML attributes in the SAML assertion.
SAML attributes are arbitrary name/values that typically provide additional identity information about the user.
The IdP could include timeout values etc if required although this isn’t commonly done.
You’ll find examples of the low-level APIs under the Examples\SSO\LowLevelAPI folder.