ComponentSpace

Forums



Possible race condition


Possible race condition

Author
Message
janv8000
janv8000
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 37
I believe there's a possible race condition in SamlServiceProvider if multiple SAML flows are being started at the same time.
Any advice on how to mitigate?

Situation:

  1. New private/Incognito tab
  2. 5 applications using the same ComponentSpace instance configured 99,9% identical to sample in SAMLv20.Core-licensed\SAML for .NET Core\Examples\NET-Core-3.1\SSO\SamlProxy
  3. Those 5 applications are bookmarked in one Firefox "Bookmark folder"
  4. Manually open the first application
  5. SAML ping pong starts, login with upstream identity provider just fine
  6. Application 1: logged in => everything ok
  7. On bookmark folder "Open all in tabs"
  8. Not all the SAML flows complete succesfully because of error: ComponentSpace.Saml2.SamlServiceProvider Receiving an SSO response from a partner identity provider has failed. ComponentSpace.Saml2.Exceptions.SamlProtocolException: An SP-initiated SAML response from <REDACTED> was received unexpectedly.

Setup:
  • Applications are configured to require authentication on the first request
  • services.AddSession() //asp.net sessions
  • services.AddScoped<ISsoSessionStore, AspNetSsoSessionStore>();
  • app.UseSession();
  • <PackageReference Include="ComponentSpace.Saml2.Licensed" Version="3.3.0" />

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.6K
We use a SAML session cookie to maintain SAML session state in support of the SAML protocol. Multiple tabs in the one browser instance will share the same cookie. Saved information for one SSO is overwritten by another SSO being initiated. This then results in a protocol exception.

We don't support simultaneous SSO's within the same browser and normally this isn't an issue in real-world scenarios. The limitation means that an SSO shouldn't be initiated until the previous SSO completes.


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search