Multiple authentication with same IdP - multiple app - Shibboleth as SP

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple authentication with same IdP - multiple app - Shibboleth as SP

uday.chandra.kumar
This post was updated on .
Hi All,

In a SP initiated flow, I am getting authenticated by an IdP for logging
into my application (say app1). Now, after successful login, I am loading
page of another application (say app2) which also authenticates a user by
the same IdP and then only lets user access it's pages/data etc. Now, I
don't want to make my user enter his credentials again since the user has
already been authenticated by IdP while logging into my parent application
i.e. app1.

Can anyone please help me how we can achieve a seamless experience for the
user in current setup? I don't want my user to re-enter his credentials to access app2 resources after getting inside app1.



-----
Uday
--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
Uday
Reply | Threaded
Open this post in threaded view
|

Re: Multiple authentication with same IdP - multiple app - Shibboleth as SP

Peter Schober
* uday.chandra.kumar <[hidden email]> [2019-11-04 08:52]:
> In a SP initiated flow, I am getting authenticated by an IdP for logging
> into my application (say app1). Now, after successful login, I am loading
> page of another application (say app2) which also authenticates a user by
> the same IdP and then only lets user access it's pages/data etc. Now, I
> don't want to make my user enter his credentials again since the user has
> already been authenticated by IdP while logging into my parent application
> i.e. app1.

First of all, the subject shouldn't need to enter their credentials
again at the IDP due to SSO (unless their SSO session with the IDP has
meanwhile expired or you are requesting forced authentication at the
IDP or maybe the IDP doesn't offer SSO at all).

If app1 and app2 are on the same vhost and you're simple protecting
the whole vhost with the Shib SP then those two resources are the same
"application" as far as the SP is concerned and logging in to one will
also establish a valid session for any other protected resource on
that vhost.
So the behaviour you desire is already the default. Achieving the
opposite (separate sessions for different paths on the same vhost) is
actually much more involved.
See https://wiki.shibboleth.net/confluence/display/SP3/ApplicationModel

If OTOH app1 and app2 are on different vhosts (or diffeerent servers
altogether) then the browser will not send HTTP cookies from prior
access to either of the two resources when accessing the other vhost,
so you'd have to be bounced back to the IDP and establish SP sessions
at each vhost separately.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple authentication with same IdP - multiple app - Shibboleth as SP

uday.chandra.kumar
This post was updated on .
Many thanks for your input Peter.

In our case, both apps are on different servers. We would be loading second
app i.e. app2 using an iFrame inside app1's page once user gets
authenticated by the IdP (common to both app1 and app2) on app1's login page.

I came across 'isPassive' (URL:
https://wiki.shibboleth.net/confluence/display/SP3/isPassive). Can we not
use this in below implementation? Is it something that needs be set at IdP end?

Since user has already logged into the first/parent app i.e. app1 after getting authenticated at
IdP, can 'isPassive' be of our help? Please correct me if my understanding
is wrong and let us know what necessary things do we need to have to get
user auto-logged in into the child/second app i.e.app2.



-----
Uday
--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
Uday
Reply | Threaded
Open this post in threaded view
|

Re: Multiple authentication with same IdP - multiple app - Shibboleth as SP

Peter Schober
* uday.chandra.kumar <[hidden email]> [2019-11-04 16:30]:
> In our case, both apps are on different servers. We would be loading second
> app i.e. app2 using an iFrame inside app1's page once user gets
> authenticated by the IdP (common to both app1 and app2).

I'd avoid iframes (and other frames) at all costs. Those completely
break if third party-cookies are disabled in the web browser, for
example (which they should be universally, IMO).

> I came across 'isPassive' (URL:
> https://wiki.shibboleth.net/confluence/display/SP3/isPassive). Can we not
> use this in below implementation?

You can use it, it just won't solve the problem you said you had,
though.

> Since user has already logged into the app1 after getting authenticated at
> IdP, can 'isPassive' be of our help? Please correct me if my understanding
> is wrong and let us know what necessary things do we need to have to get
> user auto-logged in into the second app i.e.app2.

You started this thread with the claim that the IDP is prompting the
subject to enter their credentials again instead of providing an SSO
experience. How is sending "isPassive" then supposed to avoid this?

If the IDP was configured to not provide SSO (or the subject's SSO
session had expired) and you're telling the IDP to not show any UI
elements to the subject (by using isPassive) the IDP can only return
an error to the SP (or terminate processing, I guess), no?

"isPassive" is not a means to force an IDP to provide SSO when
otherwise (lacking isPassive in the authn request) it wouldn't.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple authentication with same IdP - multiple app - Shibboleth as SP

uday.chandra.kumar
Got your point Peter. Thanks a lot for you help. :)



-----
Uday
--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Uday