web-security

iarenaza 2020-11-04T09:18:21.014100Z

I don't see any immediate red flag, but I don't know how you plan to validate the session token/cookie and refresh it.

simongray 2020-11-04T11:00:46.018700Z

@iarenaza thanks for taking a look. I save the SAML assertions in an in-memory ring session store with a TTL of 8 hours. I consider the assertions valid for those 8 hours, but after that the user will have to log in again. So I guess I’m not doing any refreshing? I’m not sure how I should do validation or whether it’s even necessary?

iarenaza 2020-11-04T14:36:12.022800Z

@simongray I don't use SAML, but OpenID Connectt (OIDC) and OAuth2. So maybe concepts are not transferrable. But in those two cases (OIDC, OAuth2) the token (ID Token or Access Token) is generated by a third party, not by oneself. So you need to validate those tokens before you can trust any claims (assertions) made by the tokens. That's what I was referring to with "how you plan to validate the session token". Also OIDC and OAuth2 have mechanisms to allow refreshing those tokens (up to a configurable maximum lifetime) without forcing the user to log in again. If SAML doesn't have this kind of mechanism or you don't plan to use it, you can ignore my comment simple_smile

simongray 2020-11-04T14:42:37.022900Z

The SAML identity provider in question (the URL where that the login is being delegated to) has an 8-hour TTL policy, so I’m just respecting that in my service. The validation is already taken care of as part of the SAML authentication flow, so the session token is just one I generate myself (well, Ring does it for me) to keep track of logged-in users and the assertions I have received about them. Seems like everything is in order then. Thanks for your help :-)

2020-11-04T15:06:48.026200Z

Hi @simongray I’m late in the discussion but did you consider using Keycloak? I’ve only used it with OIDC but I know Keycloak can handle SAML, on the backend side there is an adapter for verifying OIDC token but don’t know the SAML part. I maintain the Keycloak-Clojure wrapper : https://github.com/jgrodziski/keycloak-clojure

simongray 2020-11-04T15:21:57.026400Z

I seem to have starred it already, but didn't notice that it supported SAML. To be perfectly honest with you I actually am trying to get away from java frameworks. My predecessor created a setup involving Shibboleth-sp, two web servers, a postgres db, some XML, and a JSP app, which felt too complex to me just to integrate some authentication. I just want to be able to start a SAML-authenticated web service and spin up a server in the same Clojure file with no moving parts. So I've created a mini-library to add SAML-authentication to a Pedestal service based on a minimal configuration map.