SSO:SP是否应在每个请求中验证与IDP的会话 [英] SSO : Should SP validate session with IDP in every request

问题描述

根据SP启动的SSO流，用户尝试访问SP.由于用户未经身份验证，因此将其重定向到IDP，在此输入凭据，成功登录后，IDP在用户的浏览器中(在IDP的域下)设置cookie，并通过SAML响应将用户重定向回SP. SP验证SAML响应后，便会创建自己的cookie/令牌，并在sp的域下的用户浏览器中进行设置.

As per SP initiated SSO flow, User tries to access SP. Since the user is unauthenticated, he is redirected to IDP where he enters his credentials, post successful login, IDP sets cookies in user's browser(under IDP's domain) and redirects the user back to SP with SAML response. Once SP verifies SAML response it creates it's own cookie/token and sets in user's browser under sp's domain.

理想情况下，后续请求中应该发生什么:

What should ideally happen in subsequent requests :

1. SP应该仅依靠其自身的cookie来获取用户信息
2. SP应该在每个请求中验证与IDP的用户会话.

如果建议使用选项1 ，那么从安全性角度来看是否可以作为登录后登录，SP和IDP之间没有通信可以进行进一步的请求.

If option 1 is advised, Is it ok from security point of view as post login there is no communication between SP and IDP for further requests.

如果建议使用选项2 ，则在每个请求中调用IDP都会产生开销，这可能会影响SP的性能.

If option 2 is advised, there would be an overhead to call IDP in every request which might impact performance of the SP.

请在此处提出理想的流程.

Please suggest what should be the ideal flow here.

推荐答案

如果建议使用选项1，那么从安全性角度来看是否可行，因为登录后，SP和IDP之间没有通信以进行进一步的请求.

If option 1 is advised, Is it OK from security point of view as post login there is no communication between SP and IDP for further requests.

[ME]是的，SP应该负责验证cookie(可以使用cookie中的所有详细信息进行加密或通过指向持久性存储区域的ID进行引用). IDP的工作是提供已经完成的身份.

如果建议使用选项2，则在每个请求中调用IDP都会产生开销，这可能会影响SP的性能.

If option 2 is advised, there would be an overhead to call IDP in every request which might impact performance of the SP.

[ME]是的，对于通过IDP验证用户会话而言，这太过分了.它的工作方式是-如果SP会话无效或正在创建，请转到IDP，如果IDP cookie/会话有效，则提供SAML响应/声明，否则进行身份验证，最后SP创建一个新会话.

HTH.

这篇关于SSO:SP是否应在每个请求中验证与IDP的会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！