Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I refresh SAML assertion information from an WSO2 identity server?

Tags:

assertion

saml-2.0

wso2

wso2-identity-server

I'm building SAML 2.0 based authentication to a web application. The authentication is done against an WSO2 Identity Server (WSO2-IS). I have managed to get the actual authentication working using HTTP redirects. However now I'm having issues trying to "refresh" the authentication information from the Identity Server.

The problem is that the assertions the WSO2-IS is returning have only a lifetime of 5 minutes. So based on this, I should get a new assertion from the WSO2-IS every 5 minutes. However I have found no other way to do this against the WSO2-IS than doing yet another round of redirects. Redirecting the user somewhere else every five minutes is not very user friendly.

SAML 2.0 specifies an AuthnQuery request, which is supposed to be done using SOAP over HTTP. If I've understood correctly, the AuthnQuery would be exactly what I need to re-request assertion information for the user, but to me it seems that the WSO2-IS does not support this request.

So, the question is, how would I be able to refresh (or re-request) the assertion information from the WSO2 Identity Server without having to redirect the user away from the page they are currently accessing?

like image 622
Pauli Kaila Avatar asked Nov 12 '22 12:11

Pauli Kaila

1 Answers

The answer is to be found in the SAML proile speciefication under Web browser SSO profile -> Usage and Message Processing Rules.

The bearer element described above MUST contain a element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered

NotOnOrAfter is the time at which the message has to have been delivered.

What you should consider is the attribute SessionNotOnOrAfter in AuthnStatement if it is present.

If an used to establish a security context for the principal contains a SessionNotOnOrAfter attribute, the security context SHOULD be discarded once this time is reached, unless the service provider reestablishes the principal's identity by repeating the use of this profile.

SAML profile spec

like image 121
Stefan Rasmusson Avatar answered Dec 21 '22 23:12

Stefan Rasmusson
Sign in to Comment

Related questions

esb solution, servicemix or wso2? [closed]
wso2 manager - com.mysql.jdbc.Driver not found
how to read http headers in esb
How can I edit the SOAP envelope and header with Perl's SOAP::Lite?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!