I’m evaluating the SAML product right now and I’ve come across an issue when working with the Low Level examples.
I have the low level Service Provider and Identity Provider projects setup on my local host, and for the most part it is working as designed.
However, I’ve found that if I cancel the login by clicking on the back button, the next time I try and login, it will always fail. It immediate redirects back to the SP with the following error message at the bottom of the form:
The user is not authenticated at the identity provider
After this error occurs, it will work the next time the form is submitted. I can reproduce this behavior 100% of the time with the low level API example using any of the bindings. The High Level API doesn’t have this issue.
This message is generated by the example identity provider rather than the component. The example is storing state information in the session and clicking the back button is interrupting the expected flow. The example could be updated to handle this better. However, this is a limitation of this example rather than the component.
Our recommendation is to use the high-level API unless there’s a specific reason you need to use the low-level API. We always welcome comments and suggestions.