Regarding saml-session and saml-session id

Hi Team,
Hope you are doing well.
I am facing two issues:
1. Below saml- session is not generating if user has logged in more than once. Scenario is when i log in for the first time , it works fine, creates session id and session but when i login with same user from incognito mode, it gives error of “Received unexpected from Identity provider”.
2. There is Saml-sessionid generating can we make that to https.

Thanks
Akanksha

We use a saml-session cookie to maintain SAML session state in support of the SAML protocol. This cookie is marked as SameSite=None and Secure. This means that you must use HTTPS.

If you use InCognito mode, the saml-session cookie won’t be sent by the browser. We won’t have SAML session state and you’ll get the error you’re seeing.

Is there any way to sort this out in incognito?
Also this error comes when the same user closes the browser windows and then open new window and login.

If you switch to incognito mode, you don’t get any session cookies including the saml-session cookie. The same applies if you close the browser and open a new instance. All session cookies are deleted by the browser. It’s the way session cookies work.

You can disable some of the security checks we make that rely on the saml-session cookie. For example, you can specify “DisableInResponseToCheck”: true under the PartnerIdentityProvider configuration. However, this isn’t recommended.

[quote]
ComponentSpace - 12/29/2021
If you switch to incognito mode, you don't get any session cookies including the saml-session cookie. The same applies if you close the browser and open a new instance. All session cookies are deleted by the browser. It's the way session cookies work.

You can disable some of the security checks we make that rely on the saml-session cookie. For example, you can specify "DisableInResponseToCheck": true under the PartnerIdentityProvider configuration. However, this isn't recommended.
[/quote]

So when i close browser , it should work with new session but it still gives the error and then only way is iisreset for that to work. Am i missing any code ?

I suggest using the browser developer tools (F12) to take a look at the network traffic/cookies. Check that the saml-session cookie isn’t being sent by the browser after closing it. If it is, it means there’s another instance of the browser which is keeping the saml-session cookie alive. If you close all instances of the browser, all session cookies should be deleted.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

[quote]
ComponentSpace - 12/29/2021
I suggest using the browser developer tools (F12) to take a look at the network traffic/cookies. Check that the saml-session cookie isn't being sent by the browser after closing it. If it is, it means there's another instance of the browser which is keeping the saml-session cookie alive. If you close all instances of the browser, all session cookies should be deleted.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace
[/quote]

Hi Team ,
The case is happening when the user closes the browser, all cookies and sessions are getting cleared out but when user tries to login with new instance, saml-session is not present which gives the error in AssertionConsumerService.
Connection ID ""14195346027082419543"", Request ID ""80000d5c-0000-c500-b63f-84710c7967bb"": An unhandled exception was thrown by the application.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: An SP-initiated SAML response from was received unexpectedly.

Thanks

This error means an SP-initiated SAML response was received from the IdP but either no SAML authn request was previously sent or it was and we have lost knowledge of this (ie the saml-session cookie was lost).

If the browser was closed, I’m not sure how the original SSO flow was then picked up (ie how you received the SAML response at your AssertionConsumerService).

We would need to see the SAML log file as previously mentioned.

[quote]
ComponentSpace - 12/30/2021
This error means an SP-initiated SAML response was received from the IdP but either no SAML authn request was previously sent or it was and we have lost knowledge of this (ie the saml-session cookie was lost).

If the browser was closed, I'm not sure how the original SSO flow was then picked up (ie how you received the SAML response at your AssertionConsumerService).

We would need to see the SAML log file as previously mentioned.
[/quote]

Hi Team,
I have mailed the logs on the said id. Pl let me know the issue. Quick help will be appreciated.
Thanks
Akanksha

Thanks for sending the log. I’ve copied the relevant obfuscated section below.

At 01:51:49, InitiateSsoAsync is called and the SAML authn request is sent. The saml-session cookie value is af9ad8b5-1d2b-499c-b2c4-f30984238379 and the corresponding SAML session state is in memory.

Ten seconds later, ReceiveSsoAsync is called and the SAML response is received. No saml-session cookie is included with the HTTP Post of the SAML response. Therefore, a new saml-session cookie with value 1c14cdb6-51a0-4499-b266-c8840c281813 is set. There is now no corresponding SAML session state in memory.

As a SAML response is received and we have no SAML session state, we throw the “An SP-initiated SAML response from https://XXXXXX.hijkl was received unexpectedly” exception.

This is as expected. If the browser is closed and therefore the saml-session and all other session cookies are deleted, we don’t have SAML session state and cannot process the SAML response.

The user shouldn’t close the browser half way through SSO. However, it is ok to complete SSO, close the browser and complete SSO a second time.

2021-12-31 01:51:49.201 -05:00 [DBG] SAML session state (af9ad8b5-1d2b-499c-b2c4-f30984238379):
SP state:
Pending response state:
Action: ReceiveSamlResponse
Partner name: https://XXXXXX.hijkl
Relay state:
In response to: _74018add-79b1-4df6-8469-eb16a24c183b
SSO session state:
Partner name: https://XXXXXX.hijkl
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>XXXX</saml:NameID>
Session index: _afac68ac-b320-42c3-8d07-93bef9cabdfd

2021-12-31 01:51:49.204 -05:00 [DBG] Initiation of SSO to the partner identity provider https://XXXXXX.hijkl has completed successfully.


2021-12-31 01:51:59.083 -05:00 [DBG] The SSO session ID 1c14cdb6-51a0-4499-b266-c8840c281813 has been saved to the saml-session cookie.
2021-12-31 01:51:59.086 -05:00 [DBG] HTTP cookie: saml-session=1c14cdb6-51a0-4499-b266-c8840c281813; Path=/; SameSite=None; Secure; HttpOnly
2021-12-31 01:51:59.089 -05:00 [DBG] SSO session state is being initialized.
2021-12-31 01:51:59.091 -05:00 [DBG] SSO session state for saml-session-1c14cdb6-51a0-4499-b266-c8840c281813-SamlState is being saved to the distributed cache.
2021-12-31 01:52:14.677 -05:00 [DBG] Receiving an SSO response from a partner identity provider.
2021-12-31 01:52:14.689 -05:00 [DBG] SAML session state (1c14cdb6-51a0-4499-b266-c8840c281813):
SP state:

[quote]
ComponentSpace - 12/30/2021
Thanks for sending the log. I've copied the relevant obfuscated section below.

At 01:51:49, InitiateSsoAsync is called and the SAML authn request is sent. The saml-session cookie value is af9ad8b5-1d2b-499c-b2c4-f30984238379 and the corresponding SAML session state is in memory.

Ten seconds later, ReceiveSsoAsync is called and the SAML response is received. No saml-session cookie is included with the HTTP Post of the SAML response. Therefore, a new saml-session cookie with value 1c14cdb6-51a0-4499-b266-c8840c281813 is set. There is now no corresponding SAML session state in memory.

As a SAML response is received and we have no SAML session state, we throw the "An SP-initiated SAML response from https://XXXXXX.hijkl was received unexpectedly" exception.

This is as expected. If the browser is closed and therefore the saml-session and all other session cookies are deleted, we don't have SAML session state and cannot process the SAML response.

The user shouldn't close the browser half way through SSO. However, it is ok to complete SSO, close the browser and complete SSO a second time.

2021-12-31 01:51:49.201 -05:00 [DBG] SAML session state (af9ad8b5-1d2b-499c-b2c4-f30984238379):
SP state:
Pending response state:
Action: ReceiveSamlResponse
Partner name: https://XXXXXX.hijkl
Relay state:
In response to: _74018add-79b1-4df6-8469-eb16a24c183b
SSO session state:
Partner name: https://XXXXXX.hijkl
Name ID: XXXX
Session index: _afac68ac-b320-42c3-8d07-93bef9cabdfd

2021-12-31 01:51:49.204 -05:00 [DBG] Initiation of SSO to the partner identity provider https://XXXXXX.hijkl has completed successfully.


2021-12-31 01:51:59.083 -05:00 [DBG] The SSO session ID 1c14cdb6-51a0-4499-b266-c8840c281813 has been saved to the saml-session cookie.
2021-12-31 01:51:59.086 -05:00 [DBG] HTTP cookie: saml-session=1c14cdb6-51a0-4499-b266-c8840c281813; Path=/; SameSite=None; Secure; HttpOnly
2021-12-31 01:51:59.089 -05:00 [DBG] SSO session state is being initialized.
2021-12-31 01:51:59.091 -05:00 [DBG] SSO session state for saml-session-1c14cdb6-51a0-4499-b266-c8840c281813-SamlState is being saved to the distributed cache.
2021-12-31 01:52:14.677 -05:00 [DBG] Receiving an SSO response from a partner identity provider.
2021-12-31 01:52:14.689 -05:00 [DBG] SAML session state (1c14cdb6-51a0-4499-b266-c8840c281813):
SP state:

[/quote]

Hi Team,
As you mentioned: "The user shouldn't close the browser half way through SSO. However, it is ok to complete SSO, close the browser and complete SSO a second time. "

This is not the case here. In the logs:
Case1: First set of logs shows, we created SSO for the first time and it got received at SP side and all worked fine.
Case 2/3 : other 2 set of logs showed, that when we closed the browser after case 1 and tried to log in the same way we do in CASE 1[successful case], we start getting this error.
SO, either the old cookies/session is not getting cleared and there is a mismatch or we are missing any code of closing SSO.
"However, it is ok to complete SSO, close the browser and complete SSO a second time. " >>This case is not working

Thanks
Akanksha



I can’t tell from the log whether the browser was closed or not. However, the log shows the HTTP Post of the SAML response doesn’t include the saml-session cookie. One possibility for this is that the browser was closed. If this wasn’t the case, we need to investigate why the browser didn’t send the cookie when previous SSO sequences did see the browser sending the cookie.

Please take a look at the following article.

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies

The browser developer tools will provide a reason for the browser not sending the cookie.

Let me know what you find.

[quote]
ComponentSpace - 1/4/2022
I can't tell from the log whether the browser was closed or not. However, the log shows the HTTP Post of the SAML response doesn't include the saml-session cookie. One possibility for this is that the browser was closed. If this wasn't the case, we need to investigate why the browser didn't send the cookie when previous SSO sequences did see the browser sending the cookie.

Please take a look at the following article.

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies

The browser developer tools will provide a reason for the browser not sending the cookie.

Let me know what you find.
[/quote]
Could not find it there.

Thanks

Do you see anywhere in the network trace where the saml-session cookie is set?

If you close all instances of the browser and initiate SSO, you should see a set-cookie header for the saml-session cookie being returned in one of the HTTP responses.

You should be able to following this cookie being included in subsequent HTTP requests.