Setting SAMLController.ConfigurationID removes the pending authentication request

We are planning the use multi-tenancy by using the URI to decide which IDP we’re going to use.
We use the following code:

public async Task SsoServiceForBrin(string idp, [System.Web.Http.FromBody] string samlrequest)
var configurationId = _configuration.GetConfigurationIdFromProviderId(idp);
SAMLController.ConfigurationID = configurationId;
// ConfigurationID is set in Redis with the provided configurationID

SAMLIdentityProvider.ReceiveSSO(Request, out var partnerSp);
// ConfigurationID is now gone in Redis

return RedirectToAction(“SsoServicePostLogin”, new { sid = temporarySessionId });

public async Task SsoServicePostLogin(string sid)
SAMLController.ConfigurationID = RetrieveSession(sid);
// ConfigurationID is set in Redis with the provided configurationID
// → AND removing the pending authentication request

SAMLIdentityProvider.SendSSO(Response, nepri, attributes);
// An error is shown “There is no pending service provider authentication request”
// Which makes sense because it’s overwritten with the ConfigurationID

return new EmptyResult();
// Load configuration at runtime.
private GetConfigurationIdFromProviderId(string idp)
var samlConfiguration = new SAMLConfiguration
ID = providerId,
LocalIdentityProviderConfiguration = new LocalIdentityProviderConfiguration
Name = GetEntityIdForProviderId(providerId),
Description = $“Tenant {providerId}”,
LocalCertificateFile = locationPath,
LocalCertificatePassword = password,
PartnerServiceProviderConfigurations = SAMLConfigurationFile.Load(“config/saml-idp.config”).First().Value.PartnerServiceProviderConfigurations // Loading them from the configuration file
SAMLController.Configurations.Add(providerId, samlConfiguration);

We store these sessions in Redis. Without setting the SAMLController.ConfigurationID it is working for a single tenant.
It returns an error that there is no pending service provider authentication request.

What are we doing wrong? I expected that the ConfigurationID is stored in the pending authentication request.
We user version 2.8.0

Thanks in advance.
René Bosma

Hi René,
Setting the SAMLController.COnfigurationID should’t cause this error. Instead, it occurs if you call SAMLIdentityProvider.SendSSO with no prior call to SAMLIdentityProvider.ReceiveSSO or the SAML session state used to remember the previous SAMLIdentityProvider.ReceiveSSO isn’t present. In version 2.8.0 the SAML session state is stored in the ASP.NET session. Is it possible the ASP.NET session has been cleared? Are you using a web farm and, if so, are you either using a central store for the ASP.NET sessions or a load balancer with sticky sessions? If not, the ReceiveSSO and SendSSO calls could be occurring on different servers.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to mentioning your forum post.

We have an implementation of the AbstractSSOSessionStore for Redis. Setting it at SAMLController.SSOSessionStore.
I am running this locally on my development machine.

I will create a trace. Thanks

Ok, thanks.

ComponentSpace - 6/17/2019
Ok, thanks.

Here is the log

I’ve found the problem. We had an implementation of the AbstractSSOSessionStore. Apparently only for a single tenant. We did nothing with the type. That’s why it was overwritten. public override object Load(Type type)

public override object Load(Type type){}
public override void Save(object ssoSession){}

That was a gotcha! It makes sense now. Do you have documentation that addresses this?


Thanks for the update and the comments regarding the documentation. I’ll see that we make this clearer in a future documentation update.