Hi Dan,
For SP-initiated SSO, we maintain SAML session state and check this state when a SAML response is received.
By default, the SAML session state is maintained in memory and is indexed by a saml-session cookie.
If the cookie is missing or the session state it indexes is missing, we throw the exception you’re seeing.
It’s hard to know the specific cause without more information.
If your application is deployed to multiple web servers, either configure sticky session as the load balancer or store the SAML session state in a central repository such as a database.
Is there any pattern you can identify? For example, specific users or browsers?
Has anything changed?
If you can reproduce the issue, I suggest:
- using the browser developer tools to capture the network traffic to see whether the HTTP Post of the SAML response includes the
saml-sessioncookie - enabling SAML trace and sending the log file as an email attachment to support@componentspace.com mentioning your forum post.