[FIXED] When to re-authenticate with the IdP?

Issue

I'm in a situation where my application (SP) need to authenticate a user through SAML using an IdP (SP-Initiated SSO).

Once my user is authenticated the first time he access the application, when should the SP "retrigger" an authentication (authnrequest) ? Should I re-assert the SAML token at every REST call on the backend to know if it still valid ?

Solution

Once my user is authenticated the first time he access the application, when should the SP "retrigger" an authentication (authnrequest) ?

Typically, renewed authentication requests are only required when the application's session does time out. When you first receive the SAML response from the IDP, your application establishes a session for the user and remains valid for that period. When that period expires and the session goes away, you should consider triggering another authentication request to the IDP. Depending on how long the IDP session is set to last, user may or may not be prompted for credentials again.

If you want to force the IDP to ask the user for credentials regardless of the IDP's own session, you can send forced-authn in your authentication requests. The IDP may or may not support this type of request.

Should I re-assert the SAML token at every REST call on the backend to know if it still valid ?

Your question is generally unclear. What REST call? What backend?

Generally speaking, you should always validate the SAML assertion every time; Here every time mean every time the IDP sends you, the application, an assertion. Once your application has a session after having validated that assertion, then what you do and the calls you make is up to you. The assertion is done and gone.

PS SAML does not have tokens. It has responses and assertions and statement, etc. No tokens. There is a difference. Using the correct terminology helps folks to respond better and more accuratly.

Answered By - Misagh Moayyed

Answer Checked By - Marie Seifert (PHPFixing Admin)