SP Initiated SSO - “The pending SAML action is being overridden.” (componentspace.com)
Hi,
We are facing the same issue as boyd98.
We have combed over the Service Web.Config/Saml.Config and they are the same, the IDP settings are the same the SAML assertion is the same, but it works for other case, for this case the page just gets stuck in an infinite loop and the log says that “this action is being overridden”.
Will send the SAML Log to the email provided in the last post.
Regards,
Adam
Thanks for sending the log file.
Please note that the “pending SAML action is being overridden” is a debug message and doesn’t necessarily indicate an error.
The log shows the following sequence:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
This results in the debug message you see as we’re expecting to receive a SAML logout response.
If the sequence was the following, you wouldn’t see this debug message:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response from the IdP.
3. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
Make sure that your logout service endpoint calls SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response. This completes the SAML logout flow.
Once that completes, the user is able to again SSO to the IdP.
You can keep track of this state within your application. Alternatively, SAMLServiceProvider.IsSLOCompletionPending() returns true if a SAML logout response is pending.
[quote][/quote]
Thanks for sending the log file.
Please note that the "pending SAML action is being overridden" is a debug message and doesn't necessarily indicate an error.
The log shows the following sequence:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
This results in the debug message you see as we're expecting to receive a SAML logout response.
If the sequence was the following, you wouldn't see this debug message:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response from the IdP.
3. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
Make sure that your logout service endpoint calls SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response. This completes the SAML logout flow.
Once that completes, the user is able to again SSO to the IdP.
You can keep track of this state within your application. Alternatively, SAMLServiceProvider.IsSLOCompletionPending() returns true if a SAML logout response is pending.
Please note that the "pending SAML action is being overridden" is a debug message and doesn't necessarily indicate an error.
The log shows the following sequence:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
This results in the debug message you see as we're expecting to receive a SAML logout response.
If the sequence was the following, you wouldn't see this debug message:
1. SAMLServiceProvider.InitiateSLO is called to create and send a SAML logout request to the IdP.
2. SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response from the IdP.
3. SAMLServiceProvider.InitiateSSO is called to create and send a SAML authn request to the same IdP.
Make sure that your logout service endpoint calls SAMLServiceProvider.ReceiveSLO to receive and process the SAML logout response. This completes the SAML logout flow.
Once that completes, the user is able to again SSO to the IdP.
You can keep track of this state within your application. Alternatively, SAMLServiceProvider.IsSLOCompletionPending() returns true if a SAML logout response is pending.
Yes. We noticed that too, the issue is we are calling SAMLServiceProvider.ReceiveSSO so it's not even clear to us why it's attempting an SLO, it doesn't get to anywhere that should trigger an SLO. Sorry I'm a newbie to this so if something else can trigger a Single Logout then please let me know.
The log shows SAMLServiceProvider.InitiateSLO is being called.
Please check your code. It’s normally part of the logout sequence.
Perhaps breakpoint in your code or add some application logging wherever you call SAMLServiceProvider.InitiateSLO.