问题
I am evaluating WSO25.0.0 , require token based access authentication and authorization
Using wso2 5.0.0 Identity Server, for web sso with SAML2 , when I send SAML request to wso2 using Idpurl
https://localhost:9443/samlsso
from browser I found it have samlssoTokenId cookie, with some expire time Can this cookie token can be used for getting new SAML certificate, which will used further for authentication and authorization.
what this samlssoTokenId cookie used for can it be used for refresh session?
I am giving scenario:
for example I have two web application ,
user is login from web app1 get samlSSOTokenId from wso2,
In web app code store this cookie token in http authorization header,
when same user request for any resource for web app2 , with samlssoTokenId in authorization header ,
web app 2 verify this token from wso2 server get a new SAML cetificate , and
give permission to user for accessing resource.
any suggestion
Thanks
回答1:
smalssoTokenId is a cookie, and it's used by WSO2 Identity Server (IS) to find user's SAML session.
This cookie is set by IS, so browser will automatically take that to IS whenever a request goes there. That means, if user already has a SAML session at IS side, when s/he tries to access another Service Provider this cookie will be sent to IS with that SP's SAML request. Then IS can find this user's existing SAML session and provide SSO.
Since this cookie is stored in the browser, it is not exposed to web apps.
来源:https://stackoverflow.com/questions/29004212/what-this-samlssotokenid-used-for-can-it-be-used-for-refresh-session-and-get-new