0

I am integrating my client's organization authentication in to one of their web application via ADFS. I integrated the Cognito pool with ADFS and the authentication seem to happen fine. However, I have the following question:

When attempting the fresh login, the ADFS authentication server screen pops up. The user enters the credential and gets redirected to the designated redirect URI.

However, on subsequent attempts the user is not asked for any credentials even after I cleared all the token data from Local Storage. The cookie for the document are also cleared.

Although, this seems like a desired behaviour I would still like to know how it happens. Does Cognito cache some kind of ID data somewhere. I tried searching for something like this but didn't find any related article.

Saurabh Tiwari
  • 4,632
  • 9
  • 42
  • 82

1 Answers1

0

"Does Cognito cache some kind of ID data somewhere"?

No, ADFS does.

There is a client-side cookie and a server-side cookie.

Let's say the ADFS timeout is set to 8 hours.

So you log in the first time, and cookies are created on both sides.

Now on the client-side, the access token expires (assuming OIDC) and the client sends a refresh token. ADFS checks its cookie has not expired and then sends a new access token.

As long as the ADFS side has not expired, you get SSO.

Just for completeness, when you log out, ADFS clears its cookie. When the client-side receives the logout response, it clears its cookie.

Now you have to re-authenticate.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • This makes sense. Do you have any idea where this is documented. May be I can read more around this for my understanding. – Saurabh Tiwari Feb 21 '22 at 07:19
  • https://stackoverflow.com/questions/14867613/adfs-2-0-time-out-and-relation-between-freshness-value-tokenlifetime-and-webssol – rbrayb Feb 21 '22 at 08:55
  • https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings – rbrayb Feb 21 '22 at 08:55