IBM Security Verify

  • 1.  Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Fri August 20, 2021 10:24 AM

    Products: ISAM9.0.7 Federations and WebSeal

     

    Hi

    I have at setup with an IdP behind WebSeal instance "login" on junction /sso

    The IdP uses an EAI via local-response-redirect and eai-trigger-url configuration. The EAI is on a liberty backend behind a junction on the login WebSeal instance.

    When slo is initiated on/from the SP, a slo request is also made for the IdP, and the IdP logs that it removes the SAML cookie, but this does NOT terminate/kill the WebSeal session, so when a new logon request is made from the SP and the IdP is called, then the IdP still has the session, and no new login nor call to the EAI, is triggered, and the IdP responds with a SAML response to the SP and the user is logged on without entering anything.

    Whys is the EAI not being triggered when the IdP receives the slo request? (as it does with the initial login) Nor do the slo request result in killing/terminating the WesSeal-session. Are there any way to achieve this?

    BR, Carsten



    ------------------------------
    Carsten Jensen
    ATP

    ------------------------------


  • 2.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Fri August 27, 2021 07:02 AM
    Hi Carsten,

    If I remember correctly, the session termination during SLO is performed by the Federation runtime (which processes the SLO request) responding with an EAI header that includes a session termination request directly to the WebSEAL.  If you don't have the appropriate EAI trigger URL in place to capture this EAI response from federation runtime SLO then the IdP session won't be terminated.

    I think the trigger URLs you need are these (for federation asdf with federation runtime on junction /isam):

    trigger = /isam/sps/auth*
    trigger = /isam/sps/asdf/saml20/soap*
    trigger = /isam/sps/asdf/saml20/slo*
    trigger = /isam/sps/asdf/saml20/login*

    Perhaps you're missing the slo* trigger?

    By default the SLO trigger EAI message includes the session ID.  In order for this to be available you need to have:
    user-session-ids = yes
    in the WebSEAL configuration.
    There's an option in federation definition not to include session ID in the SLO response.  Not sure when that option was introduced or how in changes behaviour but I imagine it would log out all sessions for user instead of only the one related to the specific session where SLO is performed.

    None of the above gets your login EAI called... when SLO is initiated at SP, the IdP doesn't get to interact with the user so it doesn't usually trigger the "login success" call that would use local-response-redirect.  There is an option in WebSEAL to provide "single-signoff-uri" entries which are (silently) called when a logoff occurs.  Maybe you could use that to trigger you EAI app if you need to do something there on logout?

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Tue August 31, 2021 09:53 AM
    Hi Jon
    Thank you for your advice. I've added the listed triggers and it had a strange effect; now the EAI application gets invoked with an TAM_OP=error 

    0x38cf081e

    DPWWA2078E   Could not authenticate user.  An external authentication service did not return required authentication data.

    I'll do some more investigation..

    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 4.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Thu September 09, 2021 11:14 AM
    Hi
    Trace from federation 
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 3 doLogout Getting local login state
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction > logoutNeeded ENTRY
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction 1 logoutNeeded Logout needed = true
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction < logoutNeeded RETURN
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 1 doLogout Local logout at IdP.
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction 1 doLogout Attempting logout with User name = CN=Jætte TøstesenPerson,O=Ingen organisatorisk tilknytning,C=DK and session info = null
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl > logout(userName) ENTRY
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 1 logout(userName) Logging out based on userid = CN=Jætte TøstesenPerson,O=Ingen organisatorisk tilknytning,C=DK
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl > logoutWithSignOutInfo ENTRY
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 2 logoutWithSignOutInfo Calling the signOut service
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl 2 logoutWithSignOutInfo signOut returned quietly; assuming successful logout
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl < logoutWithSignOutInfo RETURN
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 li.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl < logout(userName) RETURN
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 ivoli.am.fim.saml20.protocol.actions.SAML20LocalLogoutAction < doLogout RETURN
    [9/9/21 12:04:29:218 CEST] 0000cc41 id=00000000 im.saml20.protocol.actions.slo.SAML20LocalLogoutForSLOAction 1 runProtocol Logout was successful

    It seems like the logout is happening and is assumed ok, but an error occurs, resulting in the

    * Code: 0x38cf081e
    * Text: DPWWA2078E Could not authenticate user. An external authentication service did not return required authentication data.

    I have trace enabled com.tivoli.am.fim.saml20.*=ALL but no details about the error/cause. Any ideas how to trace this?

    BR Carsten

    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 5.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Thu September 09, 2021 01:33 PM
    Hi Carsten,

    I think at this point I would want to see what exactly is being returned to the Reverse Proxy in the EAI message at logout time.  My guess is that the Reverse Proxy is somehow interpreting the logout headers as a malformed login attempt... although I have no idea why that would be.

    You can trace the HTTP headers in the Reverse Proxy by enabling the pdweb.debug trace at level 9.  That will show all the HTTP headers that are being sent and received with each request - without tracing the entire HTTP content.

    If that doesn't help then you're probably going to need a support ticket to get to the bottom of this.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 6.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Fri September 10, 2021 10:36 AM
    Hi Jon and others
    I enabled the pdweb.debug trace and found that the iv-user value was a bit strange (wrong encoding). I then tried with a user without any danish national characters and it made a difference; the 0x38cf081e error disappeared. Now it continues without any errors.

    BUT - the the user is apparently still logged on. I still experience the same behavior when the SP contacts the IdP; the user is still logged on. Any ideas? Any way to get more details from the webSeal logout action?

    BR Carsten

    ------------------------------
    Carsten Jensen
    ATP
    +4530595704
    ------------------------------



  • 7.  RE: Single logout from an SP to IdP does not terminate/kill the WebSeal Session on the IdP

    Posted Fri September 10, 2021 10:50 AM
    Hi Carsten,

    The failure in the presence of extended character set shouldn't happen between our own components.  I think a support ticket is definitely called for.  At the same time perhaps they can help with additional tracing for the wider SLO issue.

    I noticed in the trace that it said there was no session information.  Did you configure the federation to NOT use session index for logout?  Do you see a session index in the logout command sent in the EAI headers?  Perhaps if you were to send the session index that would prevent the issue with the username (because it would use the session index instead) and perhaps it would also help with the logout itself.

    To be honest I'm not sure if the above will help... I think a support ticket is probably a better bet at this point.

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------