Jump to content

SAML Session Timeout not working


Fabian Näf
 Share

Recommended Posts

Hi Buddies!

 

I'm using Passwordstate mainly from two computers, from my laptop and from my VDI client. The VDI client is always running and the laptop I turn in hibernate mode after working. Regarding the session timeout I'm experiencing different behaviours from the two clients.

 

VDI Client

On the VDI client, which is always running, the session timeout is working perfectly and I'm getting logged out from my SAML provider after the timeout limit has been reached. When I login to the VDI client the next day, I see the SAML provider's logut page, which is: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
Then I have to do a complete sign in to the SAML provider again to be able to access Passwordstate . Exactly what I want :-)

 

Laptop

On my laptop I'm experiencing a different behaviour. When I put my computer into hibernate after work and turn it on the next day, I see the logout page of Passwordstate (in the meantime the session timeout has been reached). After pressing the button to logon again (on the Passwordstate logout page), I'm getting forwarded to the SAML provider's logon page, where I'm still logged in (I never got logged out from the SAML provider). So I'm directly getting forwarded to Passwordstate from the SAML provider and I'm logged in to Passwordstate, without entering any credentials, even though the session timeout would have been reached.

 

As SAML provder I'm using Azure AD and have the following URL configured for logout (default):

https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

On both computers I'm using Firefox as browser.

When I use the "Logout" button, logout just works fine, I'm getting logged out from the SAML provider.

 

Summary: When my computer is turned off, the session timeout is reached in the meantime and I turn on my computer again afterwards, I'm not getting logged out from the SAML provider, I'm only getting logged out from Passwordstate. As I'm still logged in to the SAML provider, I can directly access Passwordstate without entering any credentials.

 

Best regards,

 

Fabian

 

 

Link to comment
Share on other sites

Hey Fabian,

 

In addition to our inactivity timeout we have, IIS also has a timeout for inactive sessions, which is why your session is ending when your computer is turned off.

 

Unfortunately we cannot end the session in Azure if your laptop is turned off, as our software needs to redirect to that URL in order to end the Azure session.

I hope this calrifies.

Regards

Click Studios

Link to comment
Share on other sites

Thanks for your fast reply and your explanation.

I totaly understand, that you can't forward my laptop, while it's turned off.

But why don't you always redirect to the SAML logout URL (HTTP status 302, HTTP Header Location) instead of showing the IIS timeout logout page when my computer turned on again?

 

Best regards,

 

Fabian

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...