I'm building SAML 2.0 based authentication to a web application. The authentication is done against an WSO2 Identity Server (WSO2-IS). I have managed to get the actual authentication working using HTTP redirects. However now I'm having issues trying to "refresh" the authentication information from the Identity Server.
The problem is that the assertions the WSO2-IS is returning have only a lifetime of 5 minutes. So based on this, I should get a new assertion from the WSO2-IS every 5 minutes. However I have found no other way to do this against the WSO2-IS than doing yet another round of redirects. Redirecting the user somewhere else every five minutes is not very user friendly.
SAML 2.0 specifies an AuthnQuery request, which is supposed to be done using SOAP over HTTP. If I've understood correctly, the AuthnQuery would be exactly what I need to re-request assertion information for the user, but to me it seems that the WSO2-IS does not support this request.
So, the question is, how would I be able to refresh (or re-request) the assertion information from the WSO2 Identity Server without having to redirect the user away from the page they are currently accessing?
The answer is to be found in the SAML proile speciefication under Web browser SSO profile -> Usage and Message Processing Rules.
The bearer element described above MUST contain a element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered
NotOnOrAfter is the time at which the message has to have been delivered.
What you should consider is the attribute SessionNotOnOrAfter
in AuthnStatement
if it is present.
If an used to establish a security context for the principal contains a SessionNotOnOrAfter attribute, the security context SHOULD be discarded once this time is reached, unless the service provider reestablishes the principal's identity by repeating the use of this profile.
SAML profile spec
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With