Anyone aware of a browser cache on the URL sent to a SP?
Our set up is we're the IdP and a list of service providers are shown once the a user has logged in. When a user clicks one of the SPs logos, we use InitiateSsoAsync to log them into the SP and the current browser tab is replaced with the SPs website.
I was testing some possible secarios for regerssion/seciurity testing and I noticed when a user didn't log out sucessfully from an SP (failure or otherwise), if they logged out of our IdP then log back in as "different" user, then click the same SP, the previous users account is shown when you land on the SPs site. BUT, if I perform said same action back on our page, but action the URL click as opening in a "new tab/window", it does correctly show the user who's logged in via our IdP. Smells like a cache issue?
This only happens for one of the SPs we're hooked up with. Same user, either A or B correctly logs into other SPs and see their dashboard, just this one particular SP seems to be cached.
I've checked the SAML assertion token and the correct NameID for the user is passed to the SP.
Very weird. Any sggestions?
|