ComponentSpace

Forums



SLO request results in Azure error: "session index does not match the existing sessions"


SLO request results in Azure error: "session index does not match the...

Author
Message
nnakova
nnakova
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 5, Visits: 52
We have implemented an SSO service provider using the latest version of the ComponentSpace dll (6.0.0). In our application you can select multiple databases, and each database has to authenticate with the identity provider. So we can have a case where two consecutive SAML authentication requests could be sent to the identity provider (Azure). We get an error from Azure with the following steps:
1. database 1 sends authentication request to our Azure identity provider and authentication response is received
2. database 2 sends authentication request to our Azure identity provider and authentication response is received
3. database 1 sends logout request to our Azure identity provider
4. Azure throws the following error:
AADSTS50070: Signout failed. The request specified session indexes '_89e7f9bc-aac7-4997-ad30-596494a46900' which did not match the existing session(s).

I enabled SAML Trace and looked through the log file, and it shows that the SAML logout request that is sent to Azure contains the wrong session index value. In the SSO session store there are 2 session state entries that are identical except for the session index value, and ComponentSpace seems to just be reading the first entry and putting its session index value in the SAML logout request. But that is the session index returned in the SAML response to our first authentication request, which Azure discards when it receives our second authentication request. So Azure throws the error that it can't find the session index.

Is there a way to make sure that the logout request is generated using the session index returned in response to the latest authentication request? Or another way that we can prevent this logout error?

I am attaching the SAML Trace log file.

Attachments
2022-12-12-logout_error.txt (0 views, 101.00 KB)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
In version 6.0.0, we added support for multiple pending SSO connections to the same IdP within the one browser session. This means we remember the state for each of these SAML sessions. Azure doesn't have this type of support and only remembers the most recent SAML session.

When the SP initiates logout, we logout the earliest SAML session. This causes the error you're seeing in Azure.

To accommodate partner providers that only remember the most recent SAML session, we'll make a change to logout the most recent SAML session instead.

This should support both scenarios.

Please contact [email protected] mentioning your forum post to receive a beta.

Regards
ComponentSpace Development
nnakova
nnakova
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 5, Visits: 52

Thank you for your help. The problem is fixed in the new version 6.1.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the confirmation.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search