ADFS新鲜感和会话滑动 [英] ADFS freshness and session sliding

问题描述

I have implemented session sliding using in my customehttphandler module.

我想acheive会议滑动以及在多个网站共用同一ADFS服务器得到验证。

I am trying to acheive session sliding as well as getting authenticated on multiple website which share same ADFS server.

 public void SessionAuthenticationModuleSessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
        {
            SessionSecurityToken token = e.SessionToken;
            DateTime nowUtc = DateTime.UtcNow;
            DateTime validFrom = token.ValidFrom;
            DateTime validTo = token.ValidTo;
            double totalMinutes = (validTo - validFrom).TotalMinutes;
            double halfSpan = totalMinutes / 2;

            SessionAuthenticationModule sam = sender as SessionAuthenticationModule;

            if (validTo < nowUtc)
            {
                if (sam != null)
                {
                    sam.DeleteSessionTokenCookie();
                    e.Cancel = true;
                }               
            }
            else if ((nowUtc - validFrom).TotalMinutes >= halfSpan)
            {
                SessionSecurityToken renewToken =             sam.CreateSessionSecurityToken(
                    token.ClaimsPrincipal,
                    token.Context,
                    nowUtc,
                    nowUtc.AddMinutes(totalMinutes),
                    true);
                e.SessionToken = renewToken;

                e.ReissueCookie = true;

//db timestamp update
            }
        }

And SignedIn event

 public void WSFederationAuthenticationModuleSignedIn(object sender, EventArgs e)
        {

             token = gettoken from cookie
            if (token.ValidTo > DateTime.Now.ToUniversalTime())
            {
                     //db insert for new login (assuming this will fire only      once on actual login)
                   reissue token
            }
       }

Session timeout is mentioned in the my relying party application web config

<securityTokenHandlers>
        <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
          <sessionTokenRequirement lifetime="0:02" />
        </add>
      </securityTokenHandlers>

Token Life time on ADFS I do not want to change which is greater than 2 minutes.

But issue is, after 2 minutes time out is not happening. It goes to SingedIn event becuase i assume it reissue token and then it calls session token received event so this condition (if (validTo < nowUtc)) never satisfy, how can i achieve timeout here? Freshness="0"achieves it but If i set Freshness="0" then I can not get authenticated by other website which are on same ADFS server. I want to be authenticated on other website as well if i have logged in one.

If I remove freshness="0" I can be authenticated without login on second website which is different application.

Why SignedIn is getting called before session token received and How can i achieve timeout in proper way and get authenticated in multiple website?

请注意：我在我的customeHttpHanlder模块这些事件。它具有其它事件以及像PostAuthenticateRequest。

Note: I have these events in my customeHttpHanlder module. which has other event as well like PostAuthenticateRequest.

推荐答案

当您收到一个会话令牌，你ADFS接收令牌开始到期。后它已经完全失效，它需要被刷新。

when you receive a session token, the token you receive from adfs starts expiring. After it has been completely expired it needs to be refreshed.

• 这是具有ADFS（调用到广告，你想了解一下用户的每一次）acurate的信息，并有一个可行的情况（一签署令牌中，我们相信信息仍然有效一定的有效期限之间的平衡）。

之后，你需要获得的回ADFS 的（因此登入事件），以获得ADFS一个新的令牌。这个想法是，一​​些信息可能这两个令牌的签发之间改变。

After the token expires, you need to get back to adfs (hence the signin event) to get a new token from adfs. The idea is that some of the information might have changed between the issuing of these two tokens.

您可以实现在客户端（你的信任方）滑动会话但意义不大（我会回来这个），因为你是在告诉自己，该令牌的有效期为另一个时期。你相信自己，但令牌里面的信息不同步的，这就是为什么你总是需要回去ADFS。

You can implement sliding sessions on the client side (your relying parties) but that makes little sense (I'll come back to this) since you are telling yourself that the token is valid for another period. You trust yourself but the information inside the token can get out of sync and that is why you always need to go back to adfs.

这一切的可能的意义，如果你实现了自己的令牌的自动刷新。这将意味着你交换当前​​的令牌一个新的一个新的有效期。我想ADFS可以做到这一点（但你需要为这个活动的情况下）。这不是一个很多code，但也可以是地狱设置正确的，我没有这方面的任何例子。

All of this could make sense if you implement an automatic refresh of the token yourself. This would mean that you exchange your current token for a new one with a new validity period. I guess adfs can do this (but you need the active scenario for this). It's not a lot of code but it can be hell to setup right and I don't have any example for this.

在最后，你要问自己，如果它是值得冒这个险。 WIF将再次做一个自动登入和域内用户将被自动记录下来。外域的用户可能必须再次在此处键入证书。我不认为这是世界的尽头。

In the end you need to ask yourself if it's worth the hassle. WIF will do an automatic signin again and a user inside the domain will be automatically logged in. A user outside the domain might have to type here credentials again. I don't think this is the end of the world.

• 最后，我看你用Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler这是旧的实现。 .NET 4.5有一个新的实现。

这篇关于ADFS新鲜感和会话滑动的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！