IBM Security Verify

 View Only

  • 1.  Ugent help: Oauth sso session is working only for 10 minuts ,where to change the configuraton

    Posted Thu July 09, 2020 04:41 PM
    HI Friends ,

       Need your help/suggestion urgently ,i am  having 2  client applications   app1 and app 2     ,

    in my application step 1)

    https://<websealinstalled host>:12443/mga/sps/oauth/oauth20/authorize?scope=financial+non-financial&client_id=BUtkGdOR6423Byx6XlKW&redirect_uri=https://<myhost>/app1/OAuthLogin&response_type=code&scope=openid&state=MkVBN0NDMDZFNjU3NjE0RTNEQ0E1RTE3MkVDRUYxQ0FCVXRrR2RPUjY0dlpCeXg2WGxLVw==

    step2)doing authentication (webseal login page)
    step3) fetching token
    step4) decoding the token and using the 'sub'   per app1 designee
    step5)now fwd  to app1 home page ....

    app2 also have/follow the same steps

    working scenario :

    if i have authentication app1    and after than i opened app2 in the same browser (with in 10 minuts) its getting login  in success  with asking for any credentials as app1 has already authenticated .

    not working scenario :

    if i have authentication app1    and after than i opened app2 in the same browser (after  10 minutes) its again displaying the webseal log in page for authentication ,  not sure why , note :- still app1 is working on the other tab of same browser


      where can i set/increase the time  from 10 minutes to  12 hours like that ,please suggest  ASAP .

    i have configured every thing in 'OpenID Connect and API Protection Definitions'    i increased token expiry time etc times also  but its not working   , even though i changed the token expiry time also in the JWT token its not reflection the  time it always  3600 (ie  difference of exp - iat)  .

    please suggest  i will login app1 first by authentication and after some time (not less than 10 minutes) i want to use app2 in same browser in other tab  with out re-authentication  . 

    currently its working only if i open the app2  before 10 minutes  only where to changes this


    Thanks & Regards
    srinivas











    ------------------------------
    srinivas kumar
    ------------------------------


  • 2.  RE: Ugent help: Oauth sso session is working only for 10 minuts ,where to change the configuraton

    Posted Fri July 10, 2020 01:55 AM

    The default webseal inactivity timeout is 600 sec = 10 min. That's probably the reason, why a 2nd request against your OIDC provider (where webseal acts as point of contact) would require a new authentication after 10 min. Open the webseal configuration, search for:

    inactive-timeout = 600

    ... and specify your desired value.

    Frank



    ------------------------------
    Frank Thurau
    ------------------------------

    Original Message


  • 3.  RE: Ugent help: Oauth sso session is working only for 10 minuts ,where to change the configuraton

    Posted Fri July 10, 2020 04:18 AM
    HI Frank Thurau ,

     Thanks a lot  for the quick reply i will check .


    ------------------------------
    srinivas kumar
    ------------------------------

    Original Message


  • 4.  RE: Ugent help: Oauth sso session is working only for 10 minuts ,where to change the configuraton

    Posted Fri July 10, 2020 04:49 AM
    Edited by Jon Harry Fri July 10, 2020 04:49 AM
    This "session keepalive" issue is a well-known problem when working in a federated environment where you have a central Identity Provider which is invoked for authentication but otherwise sits idle.  It is counter-intuitive to users that their authentication can time out when they are still active... they don't (and shouldn't) care that it's really a different site with a different session.

    The simple answer, as provided by Frank, is to increase the idle timeout on the Identity Provider so that the session at the Identity Provider is maintained even though there is no activity.

    One thing to bear in mind is that this solution effectively removes the inactivity timeout as a mitigation against the user walking away from their session and an attacker taking it over.

    I have seen solutions (where everything is in-house) where each Service Provider has a zero-size image loaded  from the Identity Provider at regular time intervals to keep that session alive as long as the Service Provider is alive.  This allows the Identity Provider timeout to stay low.  The problem with this is, of course, getting that image into Service Provider pages.  In many cases the Service Provider is a SaaS service you don't control.

    So, you're back to having a long Identity Provider session.  I would advise, if the risk profile demands it, that you consider implementing multi-factor authentication when using the Identity Provider to access a sensitive service.

    As a final point, make sure you consider the impact on number of sessions that having a long inactivity timeout has.  To prevent old sessions from being bumped out of the session cache you'll likely need to increase the session cache size - and this will increase the memory required by the Reverse Proxy instances associated with the Identity Provider.

    Jon.




    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: Ugent help: Oauth sso session is working only for 10 minuts ,where to change the configuraton

    Posted Fri July 10, 2020 05:39 AM
    HI Jon Harry ,


     Thanks a lot for your detailed explanation . 

    ------------------------------
    srinivas kumar
    ------------------------------

    Original Message