ComponentSpace

Forums



Cancel a SAML SSO request


Cancel a SAML SSO request

Author
Message
andyroz
andyroz
New Member
New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)

Group: Forum Members
Posts: 8, Visits: 44
In the following scenario, how do we cancel a request and start a new one? Or perhaps there is another way to handle this?

1. User accesses site and is redirected to SSO
2. User (for some reason) aborts the SSO login, and accesses the site again.
3. The site recognizes an SSO request is in progress, and ......should do what?

There doesn't appear to be a way to cancel the last request and start a new one. I also want to avoid having a user 'bounce' back and forward between the application site and the SSO, which means no re-login attempt. At the moment.

Thanks,

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The SAML specification doesn't define a mechanism for cancelling SSO. Depending on how the user aborts the login, the IdP site may be able to send an error status SAML response to the SP site. However, this would be dependent on the IdP implementation. It might be that the user is left at the IdP site after they abort the login and SSO completion is still pending at the SP.

If the user accesses the SP site again after aborting the previous SSO, the SP should be able to initiate SSO again. The previous attempt will be discarded. The IdP should be able to respond to this second attempt and complete SSO successfully, assuming the user doesn't abort the login etc.

Regards
ComponentSpace Development
andyroz
andyroz
New Member
New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)

Group: Forum Members
Posts: 8, Visits: 44
ComponentSpace - 8/18/2020
The SAML specification doesn't define a mechanism for cancelling SSO. Depending on how the user aborts the login, the IdP site may be able to send an error status SAML response to the SP site. However, this would be dependent on the IdP implementation. It might be that the user is left at the IdP site after they abort the login and SSO completion is still pending at the SP.

If the user accesses the SP site again after aborting the previous SSO, the SP should be able to initiate SSO again. The previous attempt will be discarded. The IdP should be able to respond to this second attempt and complete SSO successfully, assuming the user doesn't abort the login etc.

OK, thanks for that.

One further thing though, how do we handle IsSsoCompletionPending, which is true in this scenario. Should this not be used in the login process? I would seem I could not get past it if the above scenario occurs.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
IsSsoCompletionPending is true if a SAML authn request has been sent to the IdP and a SAML response is pending. You could use this in the login process but it isn't required. In the scenario where the user has aborted the login at the IdP we don't have knowledge of this so IsSsoCompletionPending is still true. You can initiate SSO again and it will override the previously aborted SSO.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search