Enhancing Multipass SAML Authentication: Automated Refresh for Extended Sessions

Hi,

We are using the Flask-Multipass SAML Auth Provider and the SAML Auth Responses currently have an expiration of one day.
The Indico session is renewed upon user interaction, which means that a user can still be legitimately logged in even though the SAML response is no longer valid.

We are interested in having some kind of (at best: non-interactive) refresh after the expiration of the SAML response (a bit of background: We use this plugin in order to use groups with SAML,
and group membership information is only updated on login, so a user would currently have group access if they indefinitely extend the session).

Is there a recommended way to implement this in a plugin?

One thought would be to override the IndicoSession and either redirect to the login page or to the SAML Identity Provider after expiration.

Generally we recommend against using group information that’s only available during login times, because as you correctly noticed, the Indico session is created during login and then there’s no more interaction with whatever you used to log in.

I think the only halfway decent way to do what you want to do would be to add some way to allow passing an optional hard expiry date for the Indico session from the Multipass identity provider, and then considering the session invalid (either explicitly or by never setting an expiry in redis that’s after that date).

If you are willing to contribute such a feature, great! You can probably make use of the multipass_data field of the IdentityInfo. During the login on the Indico side (in the process_identity function) you’ then check if the key exists and store this expiry date on the session. Another option would be making the max session duration a first-class citizen of flask-multipass (ie adding a new attribute to IdentityInfo directly and support in other places of flask-multipass as needed), and then checking for that in Indico.

With some effort you could do it in a plugin as well: Use the signals.users.logged_in signal, and check the identity’s multipass_data for what I explained above, and then store this data on the session. To force a logout you’d need to se e.g. the flask before_request signal to check if the session expiry has been reached and if that’s the case clear the session - you probably want session.clear() for this and not multipass.logout() because the latter would do a SSO logout, which is probably not what you want.

Instead of just clearing the session you could of course also redirect to the SSO login endpoint again so the user gets more or less transparently logged in again if they still have a valid SSO session.

1 Like