ComponentSpace

Forums



There is no pending service provider authentication request


There is no pending service provider authentication request

Author
Message
lexugax
lexugax
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 3
Greetings.
I have an issue where a call to SAMLIdentityProvider.SendSSO() keeps throwing the no pending request exception.
From what I have read in the forums, I believe my problem might have to do with the session being overwritten, but I'd like an opinion on this.
My case is as follows.
My app receives an SP request from a third party. If the user is not already authenticated, the app figures out what domain the user's email belongs to (we have multiple domains) and creates a new SP initiated request to that domain (which could be the same one which received the third party request).
The second request is received, the user logs in, and a response to the second request is sent. Once the second response is received with the user's attributes, a response to the original third party request is created. This last response call to SendSSO is what is throwing the execption.
As I said, I think my second request might be overwriting the session which is why I can't respond to the first request. Am I correct? If so, how can I work around this?
Thanks.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)

Group: Administrators
Posts: 2.7K, Visits: 8.4K
If it's the same domain, does that mean your IdP app sends a SAML authn request to itself? If so, this will overwrite the original pending SAML authn request from the 3rd party.

I can understand how you could delegate the login by sending a SAML authn request to a different IdP (see our SamlProxy project for an example of this) but I'm not sure why you would send a SAML authn request to yourself. If you're the IdP and it's your domain, wouldn't you just prompt the user to login?

I may not be understanding your scenario so please elaborate if that's the case.

It might also be useful if you could enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
lexugax
lexugax
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 3
ComponentSpace - 11/12/2020
If it's the same domain, does that mean your IdP app sends a SAML authn request to itself? If so, this will overwrite the original pending SAML authn request from the 3rd party.

I can understand how you could delegate the login by sending a SAML authn request to a different IdP (see our SamlProxy project for an example of this) but I'm not sure why you would send a SAML authn request to yourself. If you're the IdP and it's your domain, wouldn't you just prompt the user to login?

I may not be understanding your scenario so please elaborate if that's the case.

It might also be useful if you could enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Yes, it is sending a SAML request to itself. It does sound a little absurd, but we were just re-utilizing the same code that would send the login request to another domain. I guess it is worth differentiating and just prompting the user for login as you mention. But this validates what I already suspected. Thanks! 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)ComponentSpace Development (3.8K reputation)

Group: Administrators
Posts: 2.7K, Visits: 8.4K
You're welcome. We only keep a single pending state for any browser session so I guess this is a limitation. However, it usually isn't an issue and making the differentiation as you mentioned sounds like a good idea.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 4 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search