0

I'm working to integrate SAML SSO into an older PHP application. I am using simplesamlphp to set up my service provider and for testing purposes, I have a OneLogin dev account set up with a "SAML Test Connector (IdP w/attr)" test application as my IdP. I can successfully sign in, and I can log the user out using single log out. What I'm currently lost with is how the IdP communicates changes such as forced sign out and removing access to the application.

I had assumed that OneLogin would send a request to the URL I provide as the "Single Logout URL" once I forced a user to sign out or removed their privileges to the application along with enough data to identify the user. I would then expire that user's session in the service provider and everything would be good. But OneLogin isn't sending that request like I am expecting (it is only called after I initiate a single logout process on my end). The other option would seem to be me sending requests to OneLogin to validate the session frequently, but that seems inefficient.

What is the proper method for acquiring session/privilege updates from SAML?

Josh
  • 8,079
  • 3
  • 24
  • 49

1 Answers1

0

From what I read, you don't get updates, you ask IdP about them (request user login or logout, which will check user status): http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline

I don't think simplesamlphp would act as kind of enforcer of policies, you login as a user, you get your cookie until it expires.

I know you can set up session cookie duration to reasonable value in config.php of simplesamlphp, try that.

Karol Flis
  • 311
  • 2
  • 12
  • That's what I was worried about. The client is under the impression that they can just disable a user and it will immediately log them out of our system as well, but as far as I can tell... there isn't a mechanism for that. But SAML documentation is way more complicated than I would hope so I was thinking I missed something. – Josh Feb 27 '18 at 21:39
  • 1
    You are talking about front-channel logout request via web browser and thus it must be done in the browser session of the user which you can't intervene. SAML spec has back-channel logout profile which uses SOAP to do logout. Using SOAP, an IdP can initiate a logout request to a SP. However, this means that the IdP must support SOAP logout and your SP must also support it. Using some sort of database to store session is necessary too which is cumbersome. – Thuan Mar 01 '18 at 05:00