locked
a basic question in SSO using ADFS RRS feed

  • Question

  • Hi,

    Please advise for the following scenario.

    Multiple applications (application 1 and application 2) are configured as SPs to ADFS. If a user is already authenticated and assertion token is passed to user session when the user is trying to access application 1 and working with the application 1, now if the user tries to access application 2, the application 2 will allow the user to access the application based on the assertion token exists in the user browser session or it has to go back to ADFS for recreating new assertion token for the application 2? Please advise.

    Thanks,

    Raj.

    Tuesday, March 29, 2016 3:59 AM

Answers

  • Assuming your mean that those two applications are RP trusts (Relying Party Trusts) then here is an overview of the flow:

    1. The user connects to App1. The user doesn't have a token for App1 so App1 redirects the user to ADFS.
    2. The ADFS tries to authenticate the user (SSO if the user is connected internally with a supported browser else the user has to type its password into a web form)
    3. If the authentication is working, the ADFS server gives a WebSSO cookie to the client (valid by default for 480 minutes - 8 hours), issues a token for App1 and redirects the user to App1
    4. The user connects to App1, and the application deals with the token...

    Within 480 minutes...

    1. The user connects to App2. The user doesn't have a token for App2 so App2 redirects the user to ADFS.
    2. The user provided its Web SSO token to the ADFS server and the ADFS server issues a token for App2 and redirects the user to App2.
    3. The user connects to App2, and the application deals with the token...

    If the user connect to App2 more than 480 minutes after it connected to App1...

    1. The user connects to App2. The user doesn't have a token for App2 so App2 redirects the user to ADFS.
    2. The Web SSO token expired, the ADFS tries to authenticate the user (SSO if connected internally, web forms if connected externally).
    3. If the authentication is working, the ADFS server gives a WebSSO cookie to the client, issues a token for App2 and redirects the user to App2
    4. The user connects to App2, and the application deals with the token...

    If you want you can force the user to re authenticate (so not use the Web SSO cookie) when it asks for a token for App2. You can do that at the application level or at the ADFS level (using authentication policies).

    You can also control whether or not the user has the permission to request for a token for an application using Issuance Authorization Rules. But you can also issue a token all the time and let the application deals with the access control. Up to the application developer and you :)

    Does this help?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Raj Swamy Wednesday, March 30, 2016 6:32 PM
    Tuesday, March 29, 2016 4:26 PM

All replies

  • Assuming your mean that those two applications are RP trusts (Relying Party Trusts) then here is an overview of the flow:

    1. The user connects to App1. The user doesn't have a token for App1 so App1 redirects the user to ADFS.
    2. The ADFS tries to authenticate the user (SSO if the user is connected internally with a supported browser else the user has to type its password into a web form)
    3. If the authentication is working, the ADFS server gives a WebSSO cookie to the client (valid by default for 480 minutes - 8 hours), issues a token for App1 and redirects the user to App1
    4. The user connects to App1, and the application deals with the token...

    Within 480 minutes...

    1. The user connects to App2. The user doesn't have a token for App2 so App2 redirects the user to ADFS.
    2. The user provided its Web SSO token to the ADFS server and the ADFS server issues a token for App2 and redirects the user to App2.
    3. The user connects to App2, and the application deals with the token...

    If the user connect to App2 more than 480 minutes after it connected to App1...

    1. The user connects to App2. The user doesn't have a token for App2 so App2 redirects the user to ADFS.
    2. The Web SSO token expired, the ADFS tries to authenticate the user (SSO if connected internally, web forms if connected externally).
    3. If the authentication is working, the ADFS server gives a WebSSO cookie to the client, issues a token for App2 and redirects the user to App2
    4. The user connects to App2, and the application deals with the token...

    If you want you can force the user to re authenticate (so not use the Web SSO cookie) when it asks for a token for App2. You can do that at the application level or at the ADFS level (using authentication policies).

    You can also control whether or not the user has the permission to request for a token for an application using Issuance Authorization Rules. But you can also issue a token all the time and let the application deals with the access control. Up to the application developer and you :)

    Does this help?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Raj Swamy Wednesday, March 30, 2016 6:32 PM
    Tuesday, March 29, 2016 4:26 PM
  • Does this help?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 30, 2016 2:14 PM
  • Hi,

    Yes. It helps a lot. Thanks for all the information.

    Thanks,

    Raj.

    Wednesday, March 30, 2016 6:33 PM