Possible race condition

SAML for ASP.NET Core
1

I believe there’s a possible race condition in SamlServiceProvider if multiple SAML flows are being started at the same time.
Any advice on how to mitigate?

Situation:

  1. New private/Incognito tab
  2. 5 applications using the same ComponentSpace instance configured 99,9% identical to sample in SAMLv20.Core-licensed\SAML for .NET Core\Examples\NET-Core-3.1\SSO\SamlProxy
  3. Those 5 applications are bookmarked in one Firefox “Bookmark folder”
  4. Manually open the first application
  5. SAML ping pong starts, login with upstream identity provider just fine
  6. Application 1: logged in => everything ok
  7. On bookmark folder “Open all in tabs”
  8. Not all the SAML flows complete succesfully because of error: ComponentSpace.Saml2.SamlServiceProvider Receiving an SSO response from a partner identity provider has failed. ComponentSpace.Saml2.Exceptions.SamlProtocolException: An SP-initiated SAML response from was received unexpectedly.

Setup:
  • Applications are configured to require authentication on the first request
  • services.AddSession() //asp.net sessions
  • services.AddScoped<ISsoSessionStore, AspNetSsoSessionStore>();
  • app.UseSession();

2

We use a SAML session cookie to maintain SAML session state in support of the SAML protocol. Multiple tabs in the one browser instance will share the same cookie. Saved information for one SSO is overwritten by another SSO being initiated. This then results in a protocol exception.

We don’t support simultaneous SSO’s within the same browser and normally this isn’t an issue in real-world scenarios. The limitation means that an SSO shouldn’t be initiated until the previous SSO completes.