SSO : Should SP validate session with IDP in every request

Question

As per SP initiated SSO flow, User tries to access SP. Since the user is unauthenticated, he is redirected to IDP where he enters his credentials, post successful login, IDP sets cookies in user's browser(under IDP's domain) and redirects the user back to SP with SAML response. Once SP verifies SAML response it creates it's own cookie/token and sets in user's browser under sp's domain.

What should ideally happen in subsequent requests :

1. Should SP rely only on it's own cookie to fetch user info
2. Should SP validate user session with IDP in every request.

If option 1 is advised, Is it ok from security point of view as post login there is no communication between SP and IDP for further requests.

If option 2 is advised, there would be an overhead to call IDP in every request which might impact performance of the SP.

Please suggest what should be the ideal flow here.

Answer 1

If option 1 is advised, Is it OK from security point of view as post login there is no communication between SP and IDP for further requests.

[ME] Yes, it should be the responsibility of SP to validate the cookie(maybe encrypted with all the details in it or referenced through ID pointing to persistent storage area). IDP's job is to provide identity that's done already.

If option 2 is advised, there would be an overhead to call IDP in every request which might impact performance of the SP.

[ME] Yes, that would be too much to validate user session with IDP. The way it works is - If SP session has been invalidated or is being created, go to IDP, if IDP cookies/session is valid give SAML response/assertion Or authenticate if not and finally SP creates a new session.

HTH.

Answer 2

So the user has been authorized/authenticated by the identity provider. Are you afraid that this authorization/authentication might suddenly expire? For example, maybe the IdP belongs to the user's employer, and when the user is fired it is critical that access to the SP is revoked immediately as well? Of perhaps the user finds out that his credentials have been stolen and therefore closes/blocks his IdP account, do you want to be able to stop your SP session as well? You can only do these things in Option 1, so this is the more secure option.

As you rightfully say, that comes with a lot of overhead. So the question is basically, how important is it for you that your SP session gets terminated immediately once the user's IdP account gets revoked.

By the way, what I don't like is that the IdP is storing the session in a cookie. In my opinion he shouldn't do that, especially not if you implement option 2. The reason for that is that this makes logging out very tricky: the user should now remember to log out at both the SP and the IdP, while he only needed to log in once.