Office 365 connector: sign-in required every day

juhu · May 20, 2019, 5:09am

Hi,

We started using Univention UCS with Office 365 connector and we’ve come across an issue that is quite disturbing.

Every day – about 8-10 hours – users are asked to sign-in with the federated domain.
We didn’t find any configuration related in Office 365.

We found a thread that said to change umc/http/session/timeout value. We increased it to 7 days (in seconds), restarted the server but the issue still persists.

Other Office 365 accounts (not federated) don’t have this issue which makes us think the root of the issue is in Univention UCS.

Could anyone help us what to change to not have to sign-in every day?

troeder · May 20, 2019, 8:43am

That’s probably the default SAML ticket validity as defined in /etc/simplesamlphp/config.php:

'session.duration'              =>  8 * (60*60), // 8 hours

We have created a Bug report to make it configurable: https://forge.univention.org/bugzilla/show_bug.cgi?id=49503

Greetings
Daniel

juhu · May 20, 2019, 8:59am

Hi Daniel,

Thanks a lot for the info, I found the config right before you replied.
Glad to hear that, I changed the duration.

Thanks again,
Balint

juhu · May 22, 2019, 7:46am

Hi Daniel,

I’ve changed the session.duration variable in these:

/etc/simplesamlphp/config.php
/etc/univention/templates/files/etc/simplesamlphp/config.php
/usr/share/simplesamlphp/config/config.php

I understand I shouldn’t change anything created by templates but I’ve changed it in both. Once we find the solution I’ll implement it in the template file.

After the changes users are still asked to login every 8 hours, the server was restarted after the change.

Do you have any advice on this?

Thanks,
Balint

juhu · May 23, 2019, 5:27am

I checked the SAMLResponse I get when successfully authenticating through UCS and here is the interesting part of it:

<saml:Subject>
  <saml:NameID SPNameQualifier="urn:federation:MicrosoftOnline" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">***</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2019-05-22T09:33:20Z" Recipient="https://login.microsoftonline.com/login.srf" InResponseTo="_3b9f0c0d-94db-42ce-8f0d-597f3bd69c45"/>
  </saml:SubjectConfirmation>
</saml:Subject>

<saml:Conditions NotBefore="2019-05-22T09:27:50Z" NotOnOrAfter="2019-05-22T09:33:20Z">
  <saml:AudienceRestriction>
    <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2019-05-22T09:28:20Z" SessionNotOnOrAfter="2019-08-20T09:28:20Z" SessionIndex="***">
  <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>

The AuthnStatement reflects the changed value of sessions.duration (90 days), however we are still asked to sign-in every day.

We also disabled these in the organization:

ActivityBasedAuthenticationTimeoutEnabled                 : False
ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled : False