ComponentSpace

Forums



SAML Session Cookie - When Is It Needed?


SAML Session Cookie - When Is It Needed?

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
SAML session state is maintained in support of the SAML protocol. This is done using a cookie. For earlier releases of the SAML library from v2.5.0 to 2.8.8, the ASP.NET session cookie (by default named ASP.NET_SessionId) is used. For releases of the SAML library from v3.0.0 and onward a custom cookie (by default named SAML_SessionId) is used.

However, not all SAML flows require SAML session state.

Service Provider
The following sections apply if your site is acting as the service provider (SP).

IdP-initiated SSO
A SAML response is sent by the IdP to the SP.

No SAML session state is required for this flow.

SP-initiated SSO
A SAML authn request is sent by the SP to the IdP. A SAML response is sent by the IdP to the SP.

According to the SAML specification, the SAML response returned by the IdP should have an InResponseTo field that matches the authn request ID. This ties the SAML response to the authn request. The authn request ID is saved in the SAML session state so it can be checked against the InResponseTo.

If the cookie is lost between sending the SAML authn request and receiving the SAML response, the InResponseTo field cannot be checked. Consequently, this flow is treated the same as IdP-initiated SSO.

For most scenarios, this probably doesn't matter but strictly speaking it isn't correct.

IdP-initiated SLO
A SAML logout request is sent by the IdP to the SP. A SAML logout response is sent by the SP to the IdP.

No SAML session state is required for this flow.

SP-initiated SLO
A SAML logout request is sent by the SP to the IdP. A SAML logout response is sent by the IdP to the SP.

SAML session state is required for this flow.

Identity Provider
The following sections apply if your site is acting as the identity provider (IdP).

IdP-initiated SSO
A SAML response is sent by the IdP to the SP. 

No SAML session state is required for this flow.

SP-initiated SSO
A SAML authn request is sent by the SP to the IdP. A SAML response is sent by the IdP to the SP.

SAML session state is required for this flow.

IdP-initiated SLO
A SAML logout request is sent by the IdP to the SP. A SAML logout response is sent by the SP to the IdP.

SAML session state is required for this flow.

SP-initiated SLO
A SAML logout request is sent by the SP to the IdP. A SAML logout response is sent by the IdP to the SP.

No SAML session state is required for this flow.



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search