Hi all,

Customer requests
==============================================================

Customer has a Native App (Android/iOs) that authenticates with NAM via OAuth2 authorization flow.

When the authentication request occurs a Web wiev with a login form is opened and the authentication occurs.

After the authentication the cookie _PDA_SDK_SSO is extracted and saved locally ( NOT the JSESSIONID ).

Once you open a NEW Web Wiev, so closing the previous one, to open a SAML2 web application, the _PDA_SDK_SSO cookie is is re-injected to grant the SSO BUT, this is the problem, the login page it is showed again.

What the customer want to obtaion is, standing that the refresh token occurs every 30 days, the application should be still authenticated and opening a web-view and re-injecting the token the SSO occurs.

NOTE: If the Native App is NOT closed the SSO works correctly.

Our observations
===============================================================

In the Idp we have the option to use Persistent cookie when setting up two Oauth applications. The below is an extract from the documentation:

Documentation says: ( https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/b1dj6b2f.html (Registering OAuth Client Applications > Client Type)

Select whether this is a web-based or a desktop client application.
If you select Native/Desktop, Use Persistent Cookie gets displayed.
You can select Use Persistent Cookie to allow single sign-on for a user who uses client applications on a desktop or a mobile.
For example, a user accesses client A using the credentials and gets authenticated. Client A receives a refresh token and an access token. Now, user accesses client B immediately or after few days. If Use Persistent Cookie is enabled for client B, then the client uses the persistent cookie to retrieve the token and authenticate the user. Hence, client B will get authenticated automatically.


Our customer has two client native applications but he is trying to use persistent cookie while using Oauth and SAML. Basically, the first application (A) is a native one with persistent cookie enabled.

The second one (B) is a SAML application that will send a SAML request to our nidp portal.

The flow the customer is trying to achieve is the following:

1) Client application starts Oauth flow (auth.code flow) and user authenticates on the nidp portal. As a response, the client gets the auth. code and that persistent cookie for the session

2) Client B starts SAML flow and, as part of SAML request, it sends the persistent cookie to the nidp portal. At the moment, the user is being asked to authenticate on the portal. The customer wants to use that persistent cookie as part of SAML flow so the user doesn’t get prompted for authentication.

Thanks,
Cristiano

P.S.:

Tests performed by the customer shows:

- ANDROID: using a web-view to open SAML2 portal also closing the application ( all the cookies “survives” ) user is recognized as authenticated ( JSESSIONID and PersistentCookie are passed )

NOTE I: the session survives also after days ( customer expect that this session would expire independently from refresh token expiration )

NOTE II: Custome has verified that since the cookie are not cleared out in the web view the JSESSIONID of a “valid” session and this is why you get in directly. Why the session is still active since it should have a 60 min expire time? It seems that every time they call the end token that generates access token from refresh token, the NAM returns a JSESSIONID as it refresh the referring session related to the token.
This token is injected ( in autonomy by NAM ) and injected into the web-view granting SSO.

So customer questions are:

1. Is this correct that when they call refresh end-point this regenerates an authenticated session with users data regarding refresh token?
2. Is correct that at every call the JSESSION ID value is changed?


- iOS: using a web-view to open SAML2 portal also closing the application ( all the cookies are deleted automatically at the closure as iOS setting) the user is not recognized as authenticated ( the PeristentCookie is injected while the JSESSIONID cause of iOS settings is not possible to be injected )

What the customer would like to obtain is to maintain the session ( in all the cases, also web/saml2 ) even with PersistentCookie only when it is present

Comments

  • A possible option is to explicitly persist the cookies in common cookie storage and reload it between app launches for e.g. in app delegate as described at length in this so.

    https://stackoverflow.com/questions/26005641/are-cookies-in-uiwebview-accepted

  • Hi

    I'm adding a use case that could be related to this RFE suggested to me by the customer and that maybe can make the thing easier.


    - Application A opens a new window in application B sending in POST his Access Token.
    - Application B receives Access token and calls NAM performing a SAML2 IDP-Initiated sending the Access Token (https://<idp_server>/nidp/saml2/idpsend?PID=<saml2_entity_id>&access_token=<access_token)
    -NAM starts SAML2 process using as input what inserted in the access token, so bringing un the user object that has performed the login.