Never asked to resubmit credentials on Google login page with SocialAccess Appliance

  • Document ID:7012100
  • Creation Date:09-Apr-2013
  • Modified Date:20-May-2013
    • Micro Focus Products:
      SocialAccess

Environment


NetIQ Social Access 1.0

Situation

SocialAccess setup to provide login services for SAML2 Service Provider (SP). Two authentication sources were configured that users could actually authenticate against - LinkedIn and Google. The users would try and access the SAML2 SP, get redirected to the SocialAccess login page where the option to login using their Google or LinkedIn credentials was presented.

Users were successfully able to access the SP pages after having authenticated with LinkedIn and Google. When the browser was shutdown, subsequent requests for the SP page would get redirected as expected to the SocialAccess login page. When the users selected to login using the LinkedIn authentication source, the linked in login page would be displayed where the users would enter their credentials.

When authenticating to the Google authentication source however, despite closing browsers after successfully logging in the first time, users would get logged in again seamlessly on next access without being asked to enter their credentials. If the user trying to login to the Google authentication source was different from the original user, the user would inherit the session information from the originally authenticated user.

It appears that Google uses several persistent cookies. As a result, if a different user attempts to access the target system from the same browser and chooses Google, then they'll gain access as the previous user.

 

I only get prompted to re-authenticate if I clear out the persistent cookies from the browser.

 

LinkedIn doesn't behave like that - if I close the browser then I am forced to re-authenticate if I choose the LinkedIn button again - which is good.

 

I get the same behaviour with Firefox 19 and IE9.

Resolution

Do NOT select the 'stay signed in' option on the Google login page. This sets a persistent cookie that can last up to two weeks. If a user on that host comes back to the same page within the two week period, they will be seamlessly logged in as the user that originally logged in. This is a major security concern on machines that are shared.

Additional Information

Checking the box next to Stay signed in on the Gmail login page will automatically log you in each time you visit mail.google.com. This makes for easier access to Gmail, but if you check your email from a computer that other people have access to, automatically logging in may not be the best option.

When you check the box and log in, Gmail sets a cookie (lasting two weeks) to remember you when you return to the site from the same computer. To disable the cookie, just click the down arrow next to your email address in the upper-right corner, and select Sign out. You'll need to re-enter your username and password when you return to Gmail.

We encourage you to log out of Gmail at the end of each session to protect the security of your email information. Logging out of Gmail is especially important if you check your email on a public computer. To end your Gmail session, just click the down arrow next to your email address in the upper-right corner, and select Sign out.