Highlighted
Absent Member.
Absent Member.
630 views

Authentication between Saml2.0 SP and SAML1.1 SP


Hello all,

I have a question about authentication persistence.

I will have a SP configured to use the SAML2.0 standard and another to
use SAML1.1. When a user logs in to the application hosted on a service
provider using SAML2.0 and clicks on a link to another application
running on a different SP using SAML1.1, will the user have to
reauthenticate? Assume that the attribute sets are the same that you
pass in the assertion to the SPs.
-Naresh


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
13 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Authentication between Saml2.0 SP and SAML1.1 SP


Hi Naresh ,

I assume:
-------------------------------------------------------------------------------------
- NAM is acting as IDP
- users are already federated
- SPs require the same authentication type / contract
-------------------------------------------------------------------------------------

In such a scenario I would assume no additional login would be required


--
kgast
------------------------------------------------------------------------
kgast's Profile: http://forums.novell.com/member.php?userid=6334
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Authentication between Saml2.0 SP and SAML1.1 SP

nareshbk wrote:

>
> Hello all,
>
> I have a question about authentication persistence.
>
> I will have a SP configured to use the SAML2.0 standard and another to
> use SAML1.1. When a user logs in to the application hosted on a
> service provider using SAML2.0 and clicks on a link to another
> application running on a different SP using SAML1.1, will the user
> have to reauthenticate? Assume that the attribute sets are the same
> that you pass in the assertion to the SPs.
> -Naresh


This should work without a second login if the same auth contract is
called or all contracts have the same weight. If you've modified the
weight of the contracts (default is 0) and different ones are used then
you could be challenged.

--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Authentication between Saml2.0 SP and SAML1.1 SP


Where do I specify contracts for the service providers? In the saml
configurations, i dont see how you can specify which contract to use. In
IDP--Local--Defaults i have one default user store and authentication
contract. Will both the saml 1.1 and 2.0 SPs use that?

edmaa;2170712 Wrote:
> nareshbk wrote:
>
> >
> > Hello all,
> >
> > I have a question about authentication persistence.
> >
> > I will have a SP configured to use the SAML2.0 standard and another

> to
> > use SAML1.1. When a user logs in to the application hosted on a
> > service provider using SAML2.0 and clicks on a link to another
> > application running on a different SP using SAML1.1, will the user
> > have to reauthenticate? Assume that the attribute sets are the same
> > that you pass in the assertion to the SPs.
> > -Naresh

>
> This should work without a second login if the same auth contract is
> called or all contracts have the same weight. If you've modified the
> weight of the contracts (default is 0) and different ones are used
> then
> you could be challenged.
>
> --
> Cheers,
> Edward



--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Authentication between Saml2.0 SP and SAML1.1 SP

nareshbk wrote:

>
> Where do I specify contracts for the service providers? In the saml
> configurations, i dont see how you can specify which contract to use.
> In IDP--Local--Defaults i have one default user store and
> authentication contract. Will both the saml 1.1 and 2.0 SPs use that?


For SAML 1.1 there's only the IDP initiated login but SAML 2.0 you
could potentially use the AuthnContextStatementRef element if you are
using a SP initiated login. The Service Provider can populate this
element with the contract name. That way they can select what contract
to use. If no contract is specified it will use the default contract
configured on the IDP (Under local | defaults).

Hopefully this helps



--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Authentication between Saml2.0 SP and SAML1.1 SP


Where exactly do I specify that? In the saml2.0 service provider
configuration, I am using the metadata text
Can you tell me the syntax for this statement?

Assume that I create a custom contract with URI: name/pwd/mail. How is
the SP going to pass that information on?


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Authentication between Saml2.0 SP and SAML1.1 SP

nareshbk wrote:

>
> Where exactly do I specify that? In the saml2.0 service provider
> configuration, I am using the metadata text
> Can you tell me the syntax for this statement?
>
> Assume that I create a custom contract with URI: name/pwd/mail. How is
> the SP going to pass that information on?


Sorry the late reply.

It seems I was wrong about the AuthnContextStatementRef attribute. I
think that is only in Liberty. I did read it in a view drafts of SAML
2.0 documents but it seems it didn't make it in the final
specifications.

Instead, a AuthnRequest can contain a AuthnContext element in which you
can also specify a URI (name/pwd/mail) which theoratically (i've never
done this) should have the IDP then use that auth contract

--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Authentication between Saml2.0 SP and SAML1.1 SP


I just created an auth contract with and ID value and specified tht in
the SSO login URL for saml2:
https://idp.something.com/nidp/saml2/sso?id=xxx and it does prompt the
user with the correct form for authentication.

Now I have issues with the logout URL. Single log out does not work and
the user never gets logged off. I have
https://idp.something.com/nidp/saml2/slo_return in the logout url field
but upon clicking logout, the user lands in the native NAM page that
says...your session has been authenticated for xx minutes. Any idea what
the correct logout URL should be? And BTW, I am trying to do SSO with
google Apps.


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Authentication between Saml2.0 SP and SAML1.1 SP

nareshbk wrote:

>
> I just created an auth contract with and ID value and specified tht in
> the SSO login URL for saml2:
> https://idp.something.com/nidp/saml2/sso?id=xxx and it does prompt the
> user with the correct form for authentication.
>
> Now I have issues with the logout URL. Single log out does not work
> and the user never gets logged off. I have
> https://idp.something.com/nidp/saml2/slo_return in the logout url
> field but upon clicking logout, the user lands in the native NAM page
> that says...your session has been authenticated for xx minutes. Any
> idea what the correct logout URL should be? And BTW, I am trying to
> do SSO with google Apps.


What happens when you call /nidp/app/logout ?

--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Authentication between Saml2.0 SP and SAML1.1 SP


Yes I tried that. It does take me to the log out page but the next time
I try to login in the same browser, it does weird things. For some
reason the cookie is never deleted. I end up deleting the cookie and
cache and then in the new browser it works fine.

edmaa;2174361 Wrote:
> nareshbk wrote:
>
> >
> > I just created an auth contract with and ID value and specified tht

> in
> > the SSO login URL for saml2:
> > https://idp.something.com/nidp/saml2/sso?id=xxx and it does prompt

> the
> > user with the correct form for authentication.
> >
> > Now I have issues with the logout URL. Single log out does not work
> > and the user never gets logged off. I have
> > https://idp.something.com/nidp/saml2/slo_return in the logout url
> > field but upon clicking logout, the user lands in the native NAM

> page
> > that says...your session has been authenticated for xx minutes. Any
> > idea what the correct logout URL should be? And BTW, I am trying to
> > do SSO with google Apps.

>
> What happens when you call /nidp/app/logout ?
>
> --
> Cheers,
> Edward



--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Authentication between Saml2.0 SP and SAML1.1 SP

nareshbk wrote:

>
> Yes I tried that. It does take me to the log out page but the next
> time I try to login in the same browser, it does weird things. For
> some reason the cookie is never deleted. I end up deleting the cookie
> and cache and then in the new browser it works fine.


Ok..so its fixed now?


--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Authentication between Saml2.0 SP and SAML1.1 SP


I am not sure if it is correct. I had the logout URL as https://<idp
url>/nidp/saml2/slo_return and it did not log the user off. I had it as
https://<idp url>/nidp/saml2/slo and had the same issue. But now I have
the log out URL as https://<idp
url>/nidp/saml2/slo_return=https://<idpurl>/nidp/app/logout and it does
log the user off. Can you confirm what the correct URL should be?

edmaa;2175110 Wrote:
> nareshbk wrote:
>
> >
> > Yes I tried that. It does take me to the log out page but the next
> > time I try to login in the same browser, it does weird things. For
> > some reason the cookie is never deleted. I end up deleting the cookie
> > and cache and then in the new browser it works fine.

>
> Ok..so its fixed now?
>
>
> --
> Cheers,
> Edward



--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=451290

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.