I’ve logged into a service provider with an Identity provider that does not have single logout configured so when a user logs out of our service provider, what do I do with the cookie?
Currently, the cookie remains after a logout. SLO is never initiated. Now, after that initial login and logout with the idp without SLO, another user uses the same browser (never closed) and logs in to the service provider with a different Identity provider that HAS SLO configured. When the user logs out, our code will try to set the idp configuration of what the user logged in as however, the partnerName that goes into the GetPartnerIdentityProviderConfigurationAsync is that of the first identity provider that was logged in with so setting the IdP fails.
It’s a weird edge case but what’s the right way to handle this? Do I need to just manually delete the saml-session cookie during the logout if SLO is not configured?
Thanks!
You shouldn’t have to worry about the saml-session cookie.
When the second user completes SSO, the old details in the saml-session cookie will be overwritten with the new SSO details. These will be used during the SLO.
Where are you getting the partnerName from that you’re passing into GetPartnerIdentityProviderConfigurationAsync?
It might help if you turn on SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please capture the first SSO, second SSO and SLO.
[quote][/quote]
You shouldn't have to worry about the saml-session cookie.
When the second user completes SSO, the old details in the saml-session cookie will be overwritten with the new SSO details. These will be used during the SLO.
Where are you getting the partnerName from that you're passing into GetPartnerIdentityProviderConfigurationAsync?
It might help if you turn on SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please capture the first SSO, second SSO and SLO.
When the second user completes SSO, the old details in the saml-session cookie will be overwritten with the new SSO details. These will be used during the SLO.
Where are you getting the partnerName from that you're passing into GetPartnerIdentityProviderConfigurationAsync?
It might help if you turn on SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please capture the first SSO, second SSO and SLO.
I'm calling SetConfigurationIDAsync, I've overridden the resolver GetPartnerIdentityProviderConfigurationAsync(string configurationID, string partnerName) and the partnerName is getting passed in magically. I'm assuming it's coming from whatever is in the session.
I'll get a trace going and send that over
Thanks for the clarification. I’ll look at the trace as soon as it arrives.