I want to know which user is logged in currently into the ADFS.
I am using Claims Provider for ADFS and through that, I am logging into ADFS. Now I want to see in ADFS that this particular user is currently logged in. Basically I want to see the user details of logged in user in ADFS
There is no as such session monitoring console on ADFS, instead there are events generated for every successfull authentication that contains claims.
Also, if you want to check the entire header based interaction, please enable security logs.
Also, enabling security logs is not recommended for production environment as it creates enormously large count of events for every authentication request ADFS receives.
Related
I need to login to Auth0 without login prompt on my intranet under certain circumstances.
I have a very particular use-case, where I have created a very special user in auth0 called "analytics" which has access to some of our analytics in Tableau.
I created it, so I know the login password and can create refresh tokens with unlimited life.
I had to create this user in auth0 and have it managed by auth0 because that's how our company access Tableau and I can't change this policy.
In another web application, which doesn't use Auth0 at all and has its own authentication methods, I need some users to have access to the ressources that the "analytics" user can access. (there also, no way to change this web application to use Auth0, because that's another company policy and I can't change it)
To achieve this, I have no choice but to allow all logged in users of the web application to be also automatically logged in as "analytics" in auth0.
Since this is an intranet, it is perfectly ok to hardcode a refresh token or login password. Also there's nothing too confidential about the analytics in question.
I know how to use the refresh token to call an API, but I don't know how to use it to "login" the user, e.g. his browser has the right cookie so auth0 knows that his browser is indeed him.
Is there any way to achieve this ?
I don't understand very well the OAuth 2.0 protocol, hence my question.
Does ORY Hydra currently have a feature that verifies if a client is logged in via OpenID Connect? I notice there is an API to logout via front-channel
When a user revisits the identity provider, however, I have no way of knowing if they are currently logged in or not. They could delete their client-side HTTP cookies and then I am out of sync with Hydra. Meaning: Hydra has them as logged in, but I have them now as logged out. Also, in the event of a back-channel logout, I want to be able to query for this state.
Is there an API I am overlooking that allows me to know whether a client currently has an active OpenID Connect login via Hydra?
It appears as of right now the only thing one can do is redirect the user to the authorization endpoint since we have no way of knowing if they are authorized or not.
The following two tables that ship with Hydra seem to be the source of truth for the data I am after: hydra_oauth2_access and hydra_oauth2_authentication_session. Does it ever make sense to query those directly if there is no supported HTTP API out of the box to see if a user has an active authentication session?
Sending an authentication request via a redirect to the Provider including prompt=none addresses this use case: it will silently login and return new tokens if there's an ongoing SSO session at the Provider, it will return an error code login_required if not.
Notice there will never be explicit user interaction in both cases so this is convenient (and meant) to run in an hidden iframe.
LOGGED IN STATE
An OAuth client is most commonly a UI application with multiple users. Each user's logged in state is represented by an Authorization Server session cookie that neither the application or user have access to:
The Authorization Server (AS) issues an SSO cookie, to be stored in the system browser for the AS domain
Both Web UIs and Native UIs send it implicitly on subsequent requests, when they invoke the system browser
AUTHORIZATION REDIRECTS
When an OAuth UI redirects the user, it is generally unknown whether:
The user will be prompted to login
The user will be signed in silently (eg the user could have signed in to another app)
For a Web UI it is possible to send an authorization redirect on a hidden iframe with a prompt=none parameter. If the user needs to sign in a login_required error code will be returned. See my Silent Token Renewal Page for further details.
This is not fully reliable however, and has some browser issues in 2020. Also it may be unsuitable if you are using a different type of client.
FEDERATED LOGINS
In some setups the AS redirects further to an Identity Provider (IDP), and the user's login state is further influenced by an IDP session cookie.
There is no way for an app to get hold of the user's IDP login state, since the app only ever interacts with the AS.
IS THERE A USABILITY PROBLEM?
If so, post back and we can discuss further ...
I have a webapp which asks user several questions and store answers. User logs in via OAuth using external provider, then I get user ID information from external SSO server.
I need my app to be used by several users at the same computer, so every time the form is submitted, I need to log out the user. I can do it easily in my app, but then I redirect user to OAuth server again. OAuth server remembers user, so it gives the code of previously logged user right away. I want users to log in again at OAuth server though, but how can I do it? Is it possible to ask OAuth server not to remember the user that had logged in previously?
From your question the actual flow is a bit unclear, however, there are two options:
The client needs to log out after initial log in. With this, a new session flow will be initiated in the next iteration, forcing the client to have to log in again.
The server needs to not remember consent ("Do you want to allow x on app y."), to ask the client for consent again.
Please be aware of the terms authentication, authorisation and consent have very specific meanings in this context.
You may want to share more details on the situation you are in, e.g. relevant code, the OAuth2 server you want to authorise with, including software, version and possibly url. Also, the client (as in rfc6749) is of importance here, did you implement the oauth flow yourself or did you rely on any library? If yes, which?
Imagine the following scenario.
User visits a site A (ASP.NET), authenticates using ADFS and gets a set of claims . At some point, they need to register for an additional service so they are redirected to a provisioning site B (ASP.NET) (also using ADFS – so SSO) where they register by entering their relevant details and are redirected back to A.
However, part of the provisioning process added attributes to a repository (normally AD) and we would like those attributes to form part of their claim set.
To do this they have re-authenticate? Is the best way to do this by forcing a federated logout? Would this be done by site A or site B?
If they are internal users using WIA, they would be logged in “behind the scenes” and the whole process would be transparent.
What if they are external users using FBA? Wouldn’t they have to log-in again? Given that this is not a very satisfactory user experience, is there a way around this?
There are some references out there that talk about writing a signed token as a cookie to the client browser and then the STS later authenticating the SSO token from the cookie. How would you do this with ADFS?
Have a look at the blog post I wrote about a similar scenario:
Refreshing Claims in a WIF Claims-Aware Application
In this case, the user is logged out locally but then redirected back to ADFS where they are "signed back in" since their ADFS cookie is still valid. This little hop is mostly transparent to the user and will update the claims.
I have a Spring MVC web application, there are no secure areas so all users can see all pages however i do have a Facebook log, using spring social, in and i do identify each user by session id. the scenario is that a user can see pages as a guest where the application identify him (or her) by the session id, when the user log in with his (or hers) Facebook account, a record is save for the user with the corresponding Facebook data.
the next time the user visit the application i want to be able to identify him.
i thought about using spring security remember me feature (and an infrastructure for maybe future use).
so my question is, is spring security the right solution for me? and if so is it possible to set authentication by session id?
Spring security is good for authenticating users. If you were just to authenticate by session id, there is the possibility that bogus users could access user info by spoofing their session data.