Starting with version 3.6.0, the SAML Single Sign-On app can delegate the WebSudo authentication to the SAML IdP.


Since version 6.6.0 we also support WebSudo authentication for OpenId Connect configurations.

Limitations

Limitations

  1. WebSudo with SSO does not work with transient NameIDs
    This is because the SAML NameID from the additional authentication must be the same as the one from the initial login

  2. WebSudo with SSO does not work with the Set RememberMe Cookie option enabled, so please disable it as pictured below


    Once the remember me cookie is used to establish a user session again it is no longer a SAML session.
    The only workaround, for now, is to log out and log in with SAML SSO again, should you not see the blue reauthenticate button.

Configuration

Step 1

This is disabled by default. To enable it, click the checkbox Enable additional authentication in the SAML SSO app's IdP configuration.

If the current admin user is logged in using SAML and this setting is enabled for the IdP the user has authenticated with,
the WebSudo page shows a Re-Authenticate button. 

Clicking this button will open a new browser window with the IdP's authentication page where the user needs to authenticate again.

The SAML authentication request for this authentication is sent with the flag ForceAuthn="true". This tells the IdP not to rely on an active session but request credentials.

After successful authentication, starting the WebSudo session must be confirmed before the window is closed automatically:


Since version 6.6.0 we added a new option for WebSudo. Force Authentication can now be deactivated. If you disable the option Request new authentication from IdP for additional authentication, the SAMLRequest for additional authentication will then be sent without the forceAuthn flag. We would recommend enabling the option. The option signalizes the IdP to explicitly request a new authentication and not to reuse an existing session.

new_authentication_from_idp

Step 2

Please also enable the following, provided that you are using version 4.0.7 or later:

Navigate to the Advanced settings and enable the Set Samesite=None on the session cookie checkbox, save the settings and you're good to go.

If you are using an older version and can't or don't want to upgrade, please refer to the alternative options 2, 3, 4 or 5