Skip to content

Cookie Based SAML Authentication

Cookie based SAML authentication can be used to request for user's previous session. Even in case the user's session is expired, the result will be returned based on cookie that stores user's session token.

To use it, Service Provider needs to follow these steps:

  1. Send saml request with IsPassive attribute set to true and authentication context set to PreviousSession uri. Example:

    <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                         AssertionConsumerServiceURL="http://sp/saml/SSO"
                         Destination="http://idp/saml/single-sign-on"
                         ForceAuthn="false"
                         ID="a4i2h98aa7b3a6e94830g40j4cihd2g"
                         IsPassive="true"
                         IssueInstant="2015-12-11T06:12:53.027Z"
                         ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         Version="2.0"
                         >
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
        <saml2p:RequestedAuthnContext Comparison="exact">
            <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef>
        </saml2p:RequestedAuthnContext>
    </saml2p:AuthnRequest>
    
  2. Handle SAML response. Two kind of responses can be returned after sending valid request. The first one is successful response for valid cookie token (not expired, existing and with correct token). Example (note that AuthnContextClassRef has PreviousSession uri and response has no SessionIndex defined):

    <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     Destination="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                     ID="_13735563-7117-4a0c-b3bb-ee3a1dea977d"
                     InResponseTo="a204ecfddi7jb7262fc2dbd7e1e2bj5"
                     IssueInstant="2015-12-11T06:54:53.653Z"
                     Version="2.0"
                     >
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                      >http://idp-core.dev.onegini.me:8989</saml2:Issuer>
        <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        </saml2p:Status>
        <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                         ID="_5b541a5d-e934-4cfb-8d31-0d0677633f43"
                         IssueInstant="2015-12-11T06:54:53.653Z"
                         Version="2.0"
                         xmlns:xs="http://www.w3.org/2001/XMLSchema"
                         >
            <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp-core.dev.onegini.me:8989</saml2:Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                    <ds:Reference URI="#_5b541a5d-e934-4cfb-8d31-0d0677633f43">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                        PrefixList="xs"
                                                        />
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <ds:DigestValue>T1lQ6ArY9H2Kx7jIxVVPj7aAM3oa2U4MKTOYMsXj4CU=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>signature...</ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>cert...</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </ds:Signature>
            <saml2:Subject>
                <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                              NameQualifier="http://idp-core.dev.onegini.me:8989"
                              SPNameQualifier="spring:security:saml"
                              >b51c60f9-ddff-4f90-a866-54be5fdc379a</saml2:NameID>
                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                    <saml2:SubjectConfirmationData InResponseTo="a204ecfddi7jb7262fc2dbd7e1e2bj5"
                                                   NotOnOrAfter="2015-12-11T06:56:23.653Z"
                                                   Recipient="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                                                   />
                </saml2:SubjectConfirmation>
            </saml2:Subject>
            <saml2:Conditions NotBefore="2015-12-11T06:54:53.653Z"
                              NotOnOrAfter="2015-12-11T06:59:53.653Z"
                              >
                <saml2:AudienceRestriction>
                    <saml2:Audience>spring:security:saml</saml2:Audience>
                </saml2:AudienceRestriction>
            </saml2:Conditions>
            <saml2:AuthnStatement AuthnInstant="2015-12-11T06:54:53.653Z">
                <saml2:AuthnContext>
                    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef>
                </saml2:AuthnContext>
            </saml2:AuthnStatement>
            <saml2:AttributeStatement>
                <saml2:Attribute FriendlyName="authenticationLevel"
                                 Name="urn:oid:1.3.6.1.4.1.44976.1.1"
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                 >
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                          xsi:type="xs:string"
                                          >3</saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute FriendlyName="uid"
                                 Name="urn:oid:0.9.2342.19200300.100.1.1"
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                 >
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                          xsi:type="xs:string"
                                          >b51c60f9-ddff-4f90-a866-54be5fdc379a</saml2:AttributeValue>
                </saml2:Attribute>
            </saml2:AttributeStatement>
        </saml2:Assertion>
    </saml2p:Response>
    
    The following response example concerns non-successful scenario with expired, invalid or missing cookie token.

    <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     Destination="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                     ID="a4i2h98aa7b3a6e94830g40j4cihd2a"
                     IssueInstant="2015-12-11T07:10:17.705Z"
                     Version="2.0"
                     >
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                      >http://idp-core.dev.onegini.me:8989</saml2:Issuer>
        <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive" />
        </saml2p:Status>
    </saml2p:Response>
    
  3. Token Removing

    Token is removed on various flows:

    • User logout manually
    • User blocked
    • User deleted
    • User reset
    • User password blocked
    • User change password
    • Remove Identity
    • Token expired

    Expired tokens are removed by cron job. The execution time of this job is configured by /idp/auth/token/cron/definition property.