My test ASP.NET web api application has and I am getting the error message There is no HTTP session state as ASP.NET session cookies are not enabled. even though I have configured a database SSO session store like this (in Global.asax):
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore(“System.Data.SqlClient”, “Connection string here”, “SSOSessions”);
I have also tried setting the SSOSessionStore just before the call to InitiateSSO, but with the same result.
Is it possible to use the SAML component without enabling session state?
It is possible to not enable ASP.NET sessions.
The DatabaseSSOSessionStore stores SSO session data in the database.
However, it still requires a way to uniquely identify SSO sessions.
By default this is done using the ASP.NET session ID.
That’s why the exception is being thrown.
You can override this by setting the DatabaseSSOSessionStore.SessionIDDelegate.
For example:
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore() {
SessionIDDelegate = delegate ()
{
// Return an identifier that uniquely identifies the user’s SSO session.
// The implementation details are not shown.
return null;
}
};
The session ID must be unique per browser session.
The simplest way to implement this is to use the ASP.NET session ID even though the ASP.NET session store isn’t used.
[quote][/quote]
It is possible to not enable ASP.NET sessions.
The DatabaseSSOSessionStore stores SSO session data in the database.
However, it still requires a way to uniquely identify SSO sessions.
By default this is done using the ASP.NET session ID.
That's why the exception is being thrown.
You can override this by setting the DatabaseSSOSessionStore.SessionIDDelegate.
For example:
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore() {
SessionIDDelegate = delegate ()
{
// Return an identifier that uniquely identifies the user's SSO session.
// The implementation details are not shown.
return null;
}
};
The session ID must be unique per browser session.
The simplest way to implement this is to use the ASP.NET session ID even though the ASP.NET session store isn't used.
The DatabaseSSOSessionStore stores SSO session data in the database.
However, it still requires a way to uniquely identify SSO sessions.
By default this is done using the ASP.NET session ID.
That's why the exception is being thrown.
You can override this by setting the DatabaseSSOSessionStore.SessionIDDelegate.
For example:
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore() {
SessionIDDelegate = delegate ()
{
// Return an identifier that uniquely identifies the user's SSO session.
// The implementation details are not shown.
return null;
}
};
The session ID must be unique per browser session.
The simplest way to implement this is to use the ASP.NET session ID even though the ASP.NET session store isn't used.
Thanks, that did the trick!
Regards
Fredrik
You’re welcome.
I have a WEb API which is stateless/no session. I am using the SAMLServiceProvider.InitiateSSO(System.Web.HttpContext.Current.Response, returnUrl, partnerIdP); to initiate the error is : There is no HTTP session state as ASP.NET session cookies are not enabled.
How do i set the DatabaseSSOSessionStore id?
I tried sessing the session-id :
System.Web.HttpContext.Current.Session[“session-id”] = new DatabaseSSOSessionStore()
{
SessionIDDelegate = delegate ()
{
// Return an identifier that uniquely identifies the user’s SSO session.
// The implementation details are not shown.
return “57657657576”;//random number just to test
}
};
Please refer to section 5.6 of our Developer Guide PDF.
You set the DatabaseSSOSessionStore using the SAMLController.SSOSessionStore property.
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore()
{
SessionIDDelegate = …
};
[quote]
[/quote]
Thanks for the Response. Is the SAMLController equal to SAMLConfiguration class?
SSOSessionStore = this has to be unique per browser per session?
There’s only one SSOSessionStore that’s shared by all users/browser sessions within your application.
The SSOSessionStore must store SSO session data separately for each SSO session (ie browser session).