3

I'm using passport-saml/multiSamlStrategy (using IdP initiated flow only if that matters somehow).

I want to verify periodically that the user is still logged in to the IdP and logging him out in case he isn't.
The problem is that req.isAuthenticated() always returns true since it consider only the session of the web app and not the IdP session.

In case the user is connecting directly to the IdP and log out himself from the IdP, I would expect the req.isAuthenticated() to return false.

How can I achieve that? Is that Possible?

TomG
  • 2,409
  • 4
  • 23
  • 40

1 Answers1

4

SAML protocol perspective: there's no way to determine if the session is alive at IdP.

The closest approximation involves a Single Logout (SLO) profile in SAML. IF both identity provider and service provider (your app) support SLO, the IdP could have a Logout button that works like this:

  1. After clicking Logout in IdP, the IdP sends a LogoutRequest message to all service providers asking them to terminate their sessions.
  2. At roughly the same time, IdP terminates its own session.

SLO might work under a number of carefully curated assumptions. In practice there are a number of issues with "single logout". Top two problems - asynchronous nature of the protocol and "ownership" of (what is essentially) a shared authentication context in a multi-SP scenario. This Stanford article does a good job of outlining some of these concerns. This is why SLO is rarely used and the recommended option for service providers is to manage their own session only without thinking about the IdP.

identigral
  • 3,920
  • 16
  • 31
  • SLO it for the IdP to initiate logout from the SP. What I asked is how from the SP I can check if there is still a valid session in the IdP. I understand it's not possible, that's what I thought. Thanks! – TomG Aug 15 '19 at 05:04
  • SP can initiate it too. Your goal: _I want to verify periodically that the user is still logged in to the IdP and logging him out in case he isn't_. SP-initiated SLO does accomplish this goal in a roundabout way. – identigral Aug 15 '19 at 05:22
  • How SLO will achieve that? It will logout the user, I don't want to logout, just to verify he is still logged in to the IdP and keep him logged in to my app if he is. – TomG Aug 15 '19 at 06:01
  • There are two possibilities: 1) the user is logged in at IdP or 2) they are not. If (1), SP-initiated SLO will terminate IdP session. If (2), nothing happens. Result: user is logged out in case he still has a session at IdP. – identigral Aug 15 '19 at 06:04
  • so (1), SLO will terminate the IdP session - this is exactly what I don't want. In case (1) I want to know this info (that he is still logged in at IdP) and keep him logged in at my app as well. – TomG Aug 15 '19 at 06:09
  • I keep reading _logging him out in case he isn't_ as _logging him out from IdP in case he isn't_, oops. To terminate the SP session if IdP is gone, IdP-init SLO is the only standard solution and. yes, it's a poor one. – identigral Aug 15 '19 at 06:22
  • 2
    So it's not possible to initiate just a "session check" to the IdP from the SP. That's what I thought. Thanks :) – TomG Aug 15 '19 at 06:27