Description
This article describes that SAML authentication is a very convenient way to authenticate and give permissions to users, but it can be challenging to unauthenticated a user on a workstation.
By default, the user 'A' will be authenticated during the amount of time granted by the IdP, and if the user 'A' logs out from the workstation and the user 'B' logs in, the FortiGate will still have a valid authentication for the workstation’s IP address with user 'A' authentication.
This can lead to a security issue, as user 'B' now has user 'A' permissions.
Scope
FortiGate.
Solution
A Practical example:
For this demonstration, the workstation has been joined to Azure AD, but the principle is the same even if the workstation is not joined.
'Eusebio' has logged into the Workstation and opened the browser, was redirected to Azure for authentication, provided his credentials, and is authenticated:
'Eusebio' can browse the internet as per the configured policies with the SAML user group:
Now 'Eusebio' will sign out from this workstation, and log in with 'Amalia'.
'Amalia' can browse the internet, but is not prompted for credentials, navigating as 'Eusébio' because the authentication on the workstation is still valid:
To overcome this issue, set a timeout for the SAML user group.
Here is the SAML configuration:
config user saml
edit "AZ"
set entity-id "https://yourinternalip:1003/saml/metadata"
set single-sign-on-url "https:// yourinternalip:1003/saml/login"
set single-logout-url "https:// yourinternalip:1003/saml/logout"
set idp-entity-id "https://sts.windows.net/some-string/"
set idp-single-sign-on-url "https://login.microsoftonline.com/some-string/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/some-string/saml2"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set digest-method sha1
next
end
config user group
edit "AZ-out"
set authtimeout 1
set member "AZ"
next
end
The command to should focus on is 'set authtimeout' under the user group. Here it is set to 1, meaning one minute.
After one minute of inactivity from a user, it will be unauthenticated.
It is necessary now, to sign out 'Amália' from the workstation, and wait at the Windows login screen for the authentication to clear.
This may take 2-3 minutes and not the one minute configured, because the workstation might still have some traffic running in the background.
Sign out:
It is possible to observe that even after the sign out there is still some background traffic running:
diagnose sniffer packet any 'host 10.191.84.115' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.191.84.115]
2023-02-23 09:52:58.630726 port2 in 10.191.84.115.49271 -> 40.113.103.199.443: psh 1002352673 ack 1841619
2023-02-23 09:52:58.641798 port2 out 40.113.103.199.443 -> 10.191.84.115.49271: psh 1841619806 ack 100235
2023-02-23 09:52:58.776750 port2 in 10.191.84.115.49271 -> 40.113.103.199.443: ack 1841619933
Only after this traffic stops, the one minute timeout we configured will start counting, so take into consideration that it might take up to 2 to 3 minutes for the workstation to RST or FIN/ACK all TCP connections.
The authentication will clear after the timeout period:
It is now possible to log in with 'Amália' again, and when 'Amalia' opens the browser, credentials will be prompted:
After authentication:
Logs:
To perform an active de-authentication from the host, access the Fortigate logout page (https://<FGTIP>:1000/portal?) and select the 'logout' button. This will clear the user authentication:
Related article:
Technical Tip: Wireless authentication using SAML credentials.
