AuthPoint Session Timeout

We used the excellent Configuration guide (see https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/WordPress-saml_authpoint.html ) to set up a customer's WordPress website.

During Acceptance Testing, we noticed that the AuthPoint session on the browser seems to have a very long (might be up to 2 weeks) timeout. When we press the AuthPoint login a second time, it goes straight into WordPress without prompting for the PUSH or OTP. The obvious problem is that you can't change users on the same PC without deleting the session cookie on the browser - a risky proposition on a shared PC.

I suspect that the problem is related to the "logout" function in within wp-login.php of WordPress. That is, it logs out of WordPress, but does not log out of AuthPoint.

Any suggestions?

Adrian from Australia

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Do you see any errors from the wordpress side when you try to log out? (You may have to push a more button on the logout screen.)

    I agree that it sounds like a logout issue, but it's difficult to say what might be wrong without more info.

    If you don't get see any logs, I'd suggest a support case so that the support team can try to find more information from the authpoint side.

    -James Carson
    WatchGuard Customer Support

  • I activated the debug mode of WordPress, but there was no log entry related to AuthPoint or any login for that matter. Interestingly, the session survived a reboot of the web server. I will lodge a case in a few days - a few things on my plate this week.

    Adrian from Australia

  • Hi,

    Have you resolved this in any way?

    We have a similar issue with the Access Portal. We use authpoint SAML for the Access Portal and users close the browser and walk away. Any other user that opens a browser afterwards that is within the timeout-threshold, set under Authentication > Settings, Firebox Authentication, has instant access to the Access Portal without having the re-authenticate. This is a serious security issue!

    Hope you have found a way to resolve this, and if so, please share if you don't mind!

    Regards,

Sign In to comment.