We are using Spring SAML extension to provide support for SSO to our customers. Its working fine with our dev environment IDP(okta). However, one of our client is using Tivoli as IDP and we are running into a problem where after certain amount of time, user will start getting unable to authenticate error.
Based on the research we found out that, Tivoli is setting SessionNotOnOrAfter attribute for
<saml:AuthnStatement AuthnInstant="2015-09-14T20:14:14Z" SessionIndex="xxxx" SessionNotOnOrAfter="2015-09-14T21:14:14Z"> in our SAML assertion response.
I would like to know what are the options do we have as SP to handle this scenario. Should we prompting user to re-authenticate themselves whenever they run into an issue or is there are way where we can set up our application in a certain way so that it can refresh session automatically.
Thanks
Sahil
This SessionNotOnOrAfter attribute will expiry the Payload. The SP should not receive the same Payload for ever If so there will be lot of chance for middle man attack.
The SP should implement the KeepAlive functionality to ping back the IDP saying that extend the session of the same payload.So IDP can update this attribute with current data and time stamp.
Related
Right now, my company runs a java app that uses IMAP and SMTP to read/send e-mails without user interaction. The authentication protocol we use is Basic Authentication.
Microsoft has announces End-of-support for Basic authentication, which will be replaced by Oauth2. Unfortunately, they did not provide a clear solution for applications without user interaction.
https://learn.microsoft.com/en-gb/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
One of my ideas is to have users authenticate themselves (using Oauth2 authorization code flow) just once, the first time they start the service. Then, refresh tokens will be used to get access tokens without user interaction. It is very important that the connection is not broken because of short expiration dates or revocations. There will probably be nobody around to re-authenticate if the app will be unable to get new access tokens.
I cannot seem to find any information about expiry dates for these tokens (if it is possible to set it). The ideal would be that they never expire...
Does anyone know more about this? It would help me a lot to know whether my idea is a viable approach.
Access tokens can be automatically refreshed. But to me more provider specific I did find some info on refresh token expiry here
https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens
According to this link LinkedIn tokens access and refresh expire after a max of 365 days.
Also if you see this link it says that the refresh token expires in 90 days if inactive but doesn’t say anywhere that it will expire if active.
https://learn.microsoft.com/en-us/office365/enterprise/session-timeouts
Can you provide a reference to the API that you are trying to use so that I find some more info on it (maybe)
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I want to know how the token based authentication is done in Java. I want that if I hit my application then the system should redirect it to the login page and once the user enters the credentials, the user shall be validated and authenticated. Once authenticated a token should be generated which shall be handled across client and server. My concern is if the token is generated, how it is being passed to the client and how the client sends it back to the server on every request processing. I know that it has to be set in header. But my question is how exactly. I know we have spring and all but I want to know how it is being done using jsp and servlets.
I went across few websites but unfortunately could not find the expected result. A small demonstration shall be very helpful. Thanks in advance.
There is no such authentication token. There is a session token defined in J2EE Web Application server standard (https://docs.oracle.com/cd/E19644-01/817-5451/dwsessn.html). Once the JSessionId is established between server and client it is used to manage the user.
For example if you build you own authentication system you can bind the jsessionid with user login attempts, and keep a list of jsessionids which has logged in successfully. This is basically what authentication frameworks do.
Also, you can check this Under what conditions is a JSESSIONID created? and this: Spring security FAQ
I am getting confused.
I have to write an Java Serverapplication for an mobile application. We have our own user management in that application, meaning the user can register and login on our servers without using an OAuth-Provider at all.
Now I want the user to be able to alternativly register via an OAuth Provider.
These are the options I see:
Let the user register local only.
Advantage:
The mobile applications can use the frameworks which are able to login and retrieve an access token for our application
Everything is prestyled by the platform itself, so no GUI work on that
Disadvantage:
How does the server know if the user is logged in or not? One way to figure that out could be to send the access token to the server and let the server start a request to the provider to check if the token is valid or not.
For the registration I have to send all user information which the client got from the provider to our servers.
I dont like this option, cause I would send Userdata and Accesstoken arround. Yes, it would be crypted via https of course, but it just feels wrong.
Let the user register via our servers
The user requests the OAuth provider itself to retreive the code with which you could request the access token.
Send this code to the server and let the server retreive the acess token.
Advantage:
The Server can be sure now, that the user is logged in
The server can retreive all user specific information about the user (such as username etc) from the OAuth provider itself, without sending the arround.
On a login you can repeat this, to make sure that the user is logged in correctly
Disadvantage:
I have to write the OAuth connectors (or using some library for that)
We are not able to use the sdk's, cause they're just returning the actual access token.
We still prefer the first option (register local only)
Because
they WANT to use the sdks. "'cause everyone does it."
If the user would start the application the first time and he was logged in already (with i.e. the FB client), he just has to accept the scopes, we setted up for our application.
Easier to handle the actual login, cause the sdk's where made for it
Does anyone know how to do something like that correctly? Both solutions seem a bit wrong to me.
I have an application(client application) hosted in a Tomcat server and this application has to be integrated as a Tab in another application(parent application). In the Parent application the user authentication is done. in the Parent application Html we are using iframe to integrate the client. Everything is working fine except this. The Problem is, if some one knows the URL they can access the client application. How can we avoid this.? we are using JAVA,SERVLET,HTML,Tomacat as technologies.
Thanks :)
One of possible solution is token based authentication.
The parent application should add special token either as a URL parameter or as HTTP header. The token should contain authentication information in encrypted form. "Client" application should extract the information and decide whether authentication passed or failed. In order to guarantee that no-one can copy this token and then get unauthenticated access to your application you should make the token to be one-time or limited in time range.
You can also use x-frame-options in your header. I found this article with some quick googling: http://www.jtmelton.com/tag/x-frame-options/
This will prevent your app from loading in frames except for the domains which you allow permission. You might check into browser compatibility, I'm not sure when this was implemented in different browsers.
Also, you can check the 'host' and 'referrer' header fields to check that requests are coming from a domain you trust before sending a response.
OAuth is the standard for authorizing third party apps. You should check into that as an authentication approach.
None of these will give you a completely secure app. You should consider consulting with a security expert.
From parent application add cookie and from child application get that cookie and validate user.(if both are running on same domain).