We use a SAML session cookie to support the SAML protocol and maintain SAML session state.
This state includes whether SAML SSO has completed and therefore SLO is possible.
By default this cookie is marked as secure.
The log includes:
"The SAML session cookie is marked as secure but the protocol is not HTTPS."
As HTTPS isn't being used, the browser is not returning the cookie and therefore we’ve lost track of the SAML session state.
The best option is to use HTTPS for all communications.
Alternatively, specify that the SAML session cookie shouldn’t be marked as secure.
protected void Application_Start(object sender, EventArgs e)
SessionIDDelegates.SecureSAMLCookie = false;