ComponentSpace

Forums



Regarding saml-session and saml-session id


Regarding saml-session and saml-session id

Author
Message
akanksha10
akanksha10
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 16, Visits: 68
Hi Team,
Hope you are doing well.
I am facing two issues:
1. Below saml- session is not generating if user has logged in more than once. Scenario is when i log in for the first time , it works fine, creates session id and session but when i login with same user from incognito mode, it gives error of "Received unexpected from Identity provider". 
2. There is Saml-sessionid generating can we make that to https.

Thanks
Akanksha


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We use a saml-session cookie to maintain SAML session state in support of the SAML protocol. This cookie is marked as SameSite=None and Secure. This means that you must use HTTPS.

If you use InCognito mode, the saml-session cookie won't be sent by the browser. We won't have SAML session state and you'll get the error you're seeing.

Regards
ComponentSpace Development
akanksha10
akanksha10
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 16, Visits: 68
Is there any way to sort this out in incognito?
Also this error comes when the same user closes the browser windows and then open new window and login.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
If you switch to incognito mode, you don't get any session cookies including the saml-session cookie. The same applies if you close the browser and open a new instance. All session cookies are deleted by the browser. It's the way session cookies work.

You can disable some of the security checks we make that rely on the saml-session cookie. For example, you can specify "DisableInResponseToCheck": true under the PartnerIdentityProvider configuration. However, this isn't recommended. 

Regards
ComponentSpace Development
akanksha10
akanksha10
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 16, Visits: 68
ComponentSpace - 12/29/2021
If you switch to incognito mode, you don't get any session cookies including the saml-session cookie. The same applies if you close the browser and open a new instance. All session cookies are deleted by the browser. It's the way session cookies work.

You can disable some of the security checks we make that rely on the saml-session cookie. For example, you can specify "DisableInResponseToCheck": true under the PartnerIdentityProvider configuration. However, this isn't recommended. 

So when i close browser , it should work with new session but it still gives the error and then only way is iisreset for that to work. Am i missing any code ?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I suggest using the browser developer tools (F12) to take a look at the network traffic/cookies. Check that the saml-session cookie isn't being sent by the browser after closing it. If it is, it means there's another instance of the browser which is keeping the saml-session cookie alive. If you close all instances of the browser, all session cookies should be deleted.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace


Regards
ComponentSpace Development
akanksha10
akanksha10
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 16, Visits: 68
ComponentSpace - 12/29/2021
I suggest using the browser developer tools (F12) to take a look at the network traffic/cookies. Check that the saml-session cookie isn't being sent by the browser after closing it. If it is, it means there's another instance of the browser which is keeping the saml-session cookie alive. If you close all instances of the browser, all session cookies should be deleted.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

Hi Team , 
The case is happening when the user closes the browser, all cookies and sessions are getting cleared out  but when user tries to login with new instance, saml-session is not present which gives the error in AssertionConsumerService.
Connection ID ""14195346027082419543"", Request ID ""80000d5c-0000-c500-b63f-84710c7967bb"": An unhandled exception was thrown by the application.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: An SP-initiated SAML response from <IDP> was received unexpectedly.

Thanks

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
This error means an SP-initiated SAML response was received from the IdP but either no SAML authn request was previously sent or it was and we have lost knowledge of this (ie the saml-session cookie was lost).

If the browser was closed, I'm not sure how the original SSO flow was then picked up (ie how you received the SAML response at your AssertionConsumerService).

We would need to see the SAML log file as previously mentioned.

Regards
ComponentSpace Development
akanksha10
akanksha10
New Member
New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)New Member (20 reputation)

Group: Forum Members
Posts: 16, Visits: 68
ComponentSpace - 12/30/2021
This error means an SP-initiated SAML response was received from the IdP but either no SAML authn request was previously sent or it was and we have lost knowledge of this (ie the saml-session cookie was lost).

If the browser was closed, I'm not sure how the original SSO flow was then picked up (ie how you received the SAML response at your AssertionConsumerService).

We would need to see the SAML log file as previously mentioned.

Hi Team, 
I have mailed the logs on the said id. Pl let me know the issue. Quick help will be appreciated.
Thanks
Akanksha
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for sending the log. I've copied the relevant obfuscated section below.

At 01:51:49, InitiateSsoAsync is called and the SAML authn request is sent. The saml-session cookie value is af9ad8b5-1d2b-499c-b2c4-f30984238379 and the corresponding SAML session state is in memory.

Ten seconds later, ReceiveSsoAsync is called and the SAML response is received. No saml-session cookie is included with the HTTP Post of the SAML response. Therefore, a new saml-session cookie with value 1c14cdb6-51a0-4499-b266-c8840c281813 is set. There is now no corresponding SAML session state in memory.

As a SAML response is received and we have no SAML session state, we throw the "An SP-initiated SAML response from https://XXXXXX.hijkl was received unexpectedly" exception.

This is as expected. If the browser is closed and therefore the saml-session and all other session cookies are deleted, we don't have SAML session state and cannot process the SAML response.

The user shouldn't close the browser half way through SSO. However, it is ok to complete SSO, close the browser and complete SSO a second time. 

2021-12-31 01:51:49.201 -05:00 [DBG] SAML session state (af9ad8b5-1d2b-499c-b2c4-f30984238379):
SP state:
Pending response state:
Action: ReceiveSamlResponse
Partner name: https://XXXXXX.hijkl
Relay state:
In response to: _74018add-79b1-4df6-8469-eb16a24c183b
SSO session state:
Partner name: https://XXXXXX.hijkl
Name ID: <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">XXXX</saml:NameID>
Session index: _afac68ac-b320-42c3-8d07-93bef9cabdfd

2021-12-31 01:51:49.204 -05:00 [DBG] Initiation of SSO to the partner identity provider https://XXXXXX.hijkl has completed successfully.


2021-12-31 01:51:59.083 -05:00 [DBG] The SSO session ID 1c14cdb6-51a0-4499-b266-c8840c281813 has been saved to the saml-session cookie.
2021-12-31 01:51:59.086 -05:00 [DBG] HTTP cookie: saml-session=1c14cdb6-51a0-4499-b266-c8840c281813; Path=/; SameSite=None; Secure; HttpOnly
2021-12-31 01:51:59.089 -05:00 [DBG] SSO session state is being initialized.
2021-12-31 01:51:59.091 -05:00 [DBG] SSO session state for saml-session-1c14cdb6-51a0-4499-b266-c8840c281813-SamlState is being saved to the distributed cache.
2021-12-31 01:52:14.677 -05:00 [DBG] Receiving an SSO response from a partner identity provider.
2021-12-31 01:52:14.689 -05:00 [DBG] SAML session state (1c14cdb6-51a0-4499-b266-c8840c281813):
SP state:



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search