Cached data for InitiateSsoAsync?

Anyone aware of a browser cache on the URL sent to a SP?

Our set up is we’re the IdP and a list of service providers are shown once the a user has logged in. When a user clicks one of the SPs logos, we use InitiateSsoAsync to log them into the SP and the current browser tab is replaced with the SPs website.

I was testing some possible secarios for regerssion/seciurity testing and I noticed when a user didn’t log out sucessfully from an SP (failure or otherwise), if they logged out of our IdP then log back in as “different” user, then click the same SP, the previous users account is shown when you land on the SPs site. BUT, if I perform said same action back on our page, but action the URL click as opening in a “new tab/window”, it does correctly show the user who’s logged in via our IdP. Smells like a cache issue?

This only happens for one of the SPs we’re hooked up with. Same user, either A or B correctly logs into other SPs and see their dashboard, just this one particular SP seems to be cached.

I’ve checked the SAML assertion token and the correct NameID for the user is passed to the SP.

Very weird. Any sggestions?

That’s certainly odd and undesirable. I suggest using the browser developer tools to capture the network traffic and confirm that an HTTP Post of the SAML response is being sent to the SP.

If you can confirm it’s being sent to the SP and the NameID is correct, the issue lies with the SP.

Let us know what you find.