I've logged into a service provider with an Identity provider that does not have single logout configured so when a user logs out of our service provider, what do I do with the cookie?
Currently, the cookie remains after a logout. SLO is never initiated. Now, after that initial login and logout with the idp without SLO, another user uses the same browser (never closed) and logs in to the service provider with a different Identity provider that HAS SLO configured. When the user logs out, our code will try to set the idp configuration of what the user logged in as however, the partnerName that goes into the GetPartnerIdentityProviderConfigurationAsync is that of the first identity provider that was logged in with so setting the IdP fails.
It's a weird edge case but what's the right way to handle this? Do I need to just manually delete the saml-session cookie during the logout if SLO is not configured?
Thanks!
|