SP initiated SSO - There is no pending service provider authentication request.

SAML for ASP.NET
1

Hi there,

I am new to Component Space and manage to run highlevelAPI examples provided. However, i am running into an issue by using custom handler .ashx.Basically, i have set myself as IDP in this case. Here are the steps.

1. SP initiates the SSO though third party.
2. Redirect to my website which is a IDP via SAMLIdentityProvider.ReceiveSSO
3. Redirect to custom login page.
4. Login successfull, redirect back to SSOService.ashx
5. I then seeing error message “There is no pending service provider authentication request.” on line SAMLIdentityProvider.SendSSO(context.Response, userName, attributes);

Can you help please? I reckon it might due to step 3 that redirected using CMS redirect helper class. What are the Response needed via SendSSO?

Thanks,
Pay

2

Hi Pay,
We use a SAML session cookie to remember the SAML session state including whether a service provider authentication request is pending a response.
It sounds like this cookie is not being returned by the browser as part of the redirect.
I suggest using the browser developer tools to capture the HTTP traffic. You should see the “SAML_SessionId” cookie being set at the time of the SAMLServiceProvider.ReceiveSSO call. Hopefully the HTTP traffic capture will help you find why the browser isn’t returning the cookie.
By default we mark the cookie as secure so if you’re using HTTP rather than HTTPS this will stop the browser sending the cookie. You can change this setting if required although our recommendation is to use HTTPS and a secure cookie.


using ComponentSpace.SAML2.Data;

SessionIDDelegates.SecureSAMLCookie = false;



If you’re not sure what the issue is, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Also save the browser network traffic capture as a HAR file and include this as an email attachment. Alternatively, use Fiddler for the capture and send the SAZ file.

3

Hi there,

Thank you. By using SessionIDDelegates.SecureSAMLCookie = false; it does do the trick.

Regards,
Pay

4

Thanks for the update. Our recommendation is to use HTTPS and a secure cookie but this depends on your particular circumstances of course.

5
[quote]
ComponentSpace - 6/19/2019
Thanks for the update. Our recommendation is to use HTTPS and a secure cookie but this depends on your particular circumstances of course.
[/quote]

Yes, aware about that. It was the localhost that i am currently trying to integrate.
6

Fair enough.