ComponentSpace

Forums



mixing SP and IDP initiated authentication flows


mixing SP and IDP initiated authentication flows

Author
Message
rogerr
rogerr
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 4, Visits: 21
My application supports both SP and IDP initiated authentication, using a common AssertionConsumerService endpoint.
Both flows work fine, except in one situation.
If a user causes an SP initiated auth request to be sent to the IDP, but then while sitting on the IDP's auth page navigates to that same IDP's site that generates an IDP initiated request,  then when my assertion consumer method does the ReceiveSSO call, it gets an error saying that an unexpected IDP initiated response was received. 
If i clear all the cookies (from my provider site) and go to the IDP site and do IDP initiated again, it will work.
I hope that made sense.

It's probably a little edge-casey, but is that the expected behavior?

Thanks
roger


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
That's the default expected behavior. The SP is expecting a SAML response in response to the SAML authn request sent as part of SP-initiated SSO. If this is interrupted with an IdP-initiated SSO, the SP doesn't know this has happened and we report the fact the SP-initiated SSO flow didn't complete correctly.

You can set OverridePendingAuthnRequest="true" in the <PartnerIdentityProvider> configuration. This means SP-initiated SSO can be overridden by IdP-initiated SSO and you shouldn't get an error in this scenario.





Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 4 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search