0

We would like to implement SAML based SSO for our organization. We do not want employees to be able to access specific accounts outsides of specific hours and IP ranges. (We do not want to setup a VPN for that use-case for multiple reasons)

Question: Is it possible to somehow log the user out of a specific account that he signed into via SAML when his IP changes and is not part of the allowed range anymore?

Things we want to avoid: - Browser extensions - Polling of any kind - No additional infrastructure if possible

I really don't know if this is possible but would really appreciate your help.

interestedparty
  • 1
  • 1

2 Answers2

0

Pure SAML - no, it's not possible.

This is a frequent scenario in regulated industries, e.g. user comes to work in the morning, signs on to a sensitive service, performs tasks, does not sign out at the end of the work day, then takes their device home..and they're able to access the sensitive service. It's a tougher problem to solve if the sensitive service is hosted outside of company "walls". Tougher but not impossible, the devil is in the details.

Assuming you're going with Web Browser SSO profile in SAML, your control point where you can apply your IP/hours constraint is limited to the identity provider. To be more precise, it's limited to the authentication event, i.e. when a user signs in to the identity provider. Subsequent clicks by the user that may launch or target a particular application (acting as a SAML service provider) will bypass the identity provider most of the time. The identity provider will not see the request so you have no way of applying your policy.

If you're okay with doing this at the identity provider during authentication, some SAML identity providers will allow you to implement a policy that looks at hours of operation and/or IP ranges to allow or deny authentication. Some identity providers with more sophistication will allow you to use the change of IP (and/or date/time) as triggers for requiring reauthentication...which would then deny access as the next step.

The usual solution to this problem involves multiple layers where SSO is just one brick in the proverbial wall.

identigral
  • 440
  • 2
  • 8
0

You would like the user to sign-out without no firewall / VPN in between. SAML, like many other authentication systems, works off of tokens/tickets. Once the user is authenticated, then the IdP (identity provider) provides a ticket (with assertions inside) for the user's browser to submit to other applications that are integrated with this IdP. These applications will honor the ticket because the ticket is already signed by the IdP and since the signature checks out by a stored public key (public/private key scheme), the app allows the user access without making a further request back to IdP. So, as you can see the IdP is not involved anymore after the first authentication and thus it cannot enforce the IP changes anymore.

The closest solution with using only SAML is:

  • Keeping the lifetime of tickets short: The user does not need the ticket again until the next login or login to another app. So, this can be a valid option depending on how often your users authenticate to another app.

  • Using OneTimeUse tickets: This essentially requires a trip to IdP for every new app authentication.

But, for both of these to work, your IdP session timeout should be set to a short-time-interval to cover the time necessary for your users to travel and have a different IP. This is because, if your IdP session has not expired, even though the app makes a request to IdP, the IdP does not authenticate the user again b/c the user already has an active session with the IdP (and so it issues a new ticket without requiring user to login again).

Then of course, you must set IP/time limitations in your IdP.

With these, you could be able to handle IP changes of an user and require a re-authentication in IdP (thus IP/time filtering applied again). This is of course a limited work-around.

Check this out for more security suggestions from OWASP regarding SAML

https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

K4M
  • 542
  • 3
  • 8