Monday, 18 July 2022

SAML IDP cookie & session vs SP && SLO

 https://stackoverflow.com/questions/47113383/sso-should-sp-validate-session-with-idp-in-every-request



As per SP initiated SSO flow, User tries to access SP. Since the user is unauthenticated, he is redirected to IDP where he enters his credentials, post successful login, IDP sets cookies in user's browser(under IDP's domain) and redirects the user back to SP with SAML response. Once SP verifies SAML response it creates it's own cookie/token and sets in user's browser under sp's domain.


  1. Should SP rely only on it's own cookie to fetch user info
  2. Should SP validate user session with IDP in every request.


If option 1 is advised, Is it OK from security point of view as post login there is no communication between SP and IDP for further requests.

[ME] Yes, it should be the responsibility of SP to validate the cookie(maybe encrypted with all the details in it or referenced through ID pointing to persistent storage area). IDP's job is to provide identity that's done already.

If option 2 is advised, there would be an overhead to call IDP in every request which might impact performance of the SP.

[ME] Yes, that would be too much to validate user session with IDP. The way it works is - If SP session has been invalidated or is being created, go to IDP, if IDP cookies/session is valid give SAML response/assertion Or authenticate if not and finally SP creates a new session.



When Single Log out initated

SP sends SLO request to IDP, IDP will invalidate all sessions between IDP and user 

then send HTTP GET request back to SP 

SP invalidate all sessions/token between SP and user 

"If your identity provider supports it, you can set up SAML single logout (SLO). Single logout is only supported by SAML 2.0. When a user initiates a logout, the identity provider logs the user out of all applications in the current identity provider login session."

https://docs.oracle.com/en/cloud/saas/marketing/eloqua-user/Help/SingleSignOn/SingleLogout.htm#:~:text=If%20your%20identity%20provider%20supports,current%20identity%20provider%20login%20session.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)