Forums, Documentation & Knowledge Base - ComponentSpace

mixing SP and IDP initiated authentication flows


https://www.componentspace.com/forums/Topic11129.aspx

By rogerr - 8/28/2020

My application supports both SP and IDP initiated authentication, using a common AssertionConsumerService endpoint.
Both flows work fine, except in one situation.
If a user causes an SP initiated auth request to be sent to the IDP, but then while sitting on the IDP's auth page navigates to that same IDP's site that generates an IDP initiated request,  then when my assertion consumer method does the ReceiveSSO call, it gets an error saying that an unexpected IDP initiated response was received. 
If i clear all the cookies (from my provider site) and go to the IDP site and do IDP initiated again, it will work.
I hope that made sense.

It's probably a little edge-casey, but is that the expected behavior?

Thanks
roger

By ComponentSpace - 8/28/2020

That's the default expected behavior. The SP is expecting a SAML response in response to the SAML authn request sent as part of SP-initiated SSO. If this is interrupted with an IdP-initiated SSO, the SP doesn't know this has happened and we report the fact the SP-initiated SSO flow didn't complete correctly.

You can set OverridePendingAuthnRequest="true" in the <PartnerIdentityProvider> configuration. This means SP-initiated SSO can be overridden by IdP-initiated SSO and you shouldn't get an error in this scenario.