We're running an AdminUI and when we configure a partnership, we'd
like to know the purpose of the following parameters :
1. GUID Cookie Validity Duration (Seconds)
2. Use Secure URL
What do these parameters actually ?
Policy Server 12.8SP3 on RedHat 6;
AdminUI 12.8SP3 on RedHat 6;
At first glance, according to documentation :
1. This is used to manage the Authnrequest state and make sure that
the FED TEMPORARY STATE cookie is valid.
As you've seen, this apply only if you select the Authentication
Request Binding as HTTP-POST.
During the Authnrequest as HTTP-POST, the IdP service will check
the presence of the Fed temporary state cookie with the timestamp
the GUID cookie provides.
GUID Cookie Validity Duration (Seconds)
Defines the timeperiod in seconds the GUID cookie is
valid. Configure this value to manage the AuthnRequest state when
the AuthnRequest binding is set to HTTP-POST.
Before this cookie had a fix timeout value of 3 minutes, now you
see this functionality as you can set it :
Federation GUID cookie has expiration of only 3 minutes
For POST Authnrequest Bindings, we generate a persistent GUID
cookie. By default, we set this cookie expiration time to 3
minutes. Once the expiration time has passed, we end up with an
Added new text field with name "GUID Cookie Validity Durartion
(Seconds), in SAML2, IDP-SP Partnership, to provide value, when
AuthnRequest POST Binding is selected. This value should be >=180
Support for Configuring GUID Cookie Validity Duration
From 12.52 SP1 CR08, the GUID Cookie Validity Duration
(Seconds) parameter is added in the Administrative UI to manage
the AuthnRequest state when the AuthnRequest binding is
configured to HTTP-POST. The parameter defines the time period
in seconds the GUID cookie is valid. Configure this value to
manage the AuthnRequest state when the AuthnRequest binding is
set to HTTP-POST.
2. Is to encrypt the SMPORTALURL value :
Use Secure URL
This setting instructs the single sign-on service to encrypt only
the SMPORTALURL query parameter. An encrypted SMPORTALURL
prevents a malicious user from modifying the value and
redirecting authenticated users to a malicious website. The
SMPORTALURL is appended to the Authentication URL before the
browser redirects the user to establish a session. After the user
is authenticated, the browser directs the user back to the
destination specified in the SMPORTALURL query parameter.
If you select the User Secure URL check box, complete the
1. Set the Authentication URL field to the following URL:
2. Protect the secureredirect web service with a policy.
If the asserting party serves more than one relying partner, the
asserting party probably authenticates different users for these
different partners. As a result, for each Authentication URL that
uses the secureredirect service, include this web service in a
different realm for each partner.
To associate the secureredirect service with different realms,
modify the web.xml file and create different resource
mappings. Do not copy the secureredirect web service to different
locations on your server. Locate the web.xml file in the
directory web_agent_home/affwebservices/WEB-INF, where
web_agent_home is the installed location of the web agent.
And this features allow you to fix some possible vulnerabilities :
Federation SMPORTALURL vulnerability
How can the Federation SMPORTALURL be secured from OpenRedirect
Vulnerability as today it can be manipulated and user can be
redirected to a malicious target .
- The SMPORTALURL Vulnerability was addressed within 12.52 SP2
Release where a "Use Secure URL" check box was introduced to
encrypt only the SMPORTALURL query parameter.
As Authnrequest HTTP-POST is supported only in Partnership, this
doesn't apply to Legacy Federation.