Support Article
SAML Authentication uses previous session
SA-10511
Summary
When launching NBAA portals from SAML SSO methods, the first login is successful. If a second portal is launched using a different subscriber without closing the first browser session, the second portal is opened as the first subscriber rather than using the correct user agent. This is not reproduced if the first browser window is closed.
Error Messages
Not Applicable
Steps to Reproduce
1. Click the Siteminder JSP link for the First Subscriber Account.
2. Do not close the browser session.
3. Click the Siteminder JSP link for the Second Subscriber Account.
4. Note that it is focusing on the previous (first) account and not the second account.
Root Cause
A defect in the application code or rules
Required data is currently only sent in the SAMLResponse assertion attributes. This data is pulled out of the assertion attributes (such as a subscriber number) that are required for running the activity defined in the RelayState.
The first time, the IDP-initiated request runs authentication with PRPC running; hence, the Data-Admin-AuthService starting activity is running Code-Security.pySAMLWebSSOAuthenticationActivity. This is where the data maps the assertion attributes to the clipboard for later use.
The second time, the request is run using the same session; hence, the request is already authenticated and the assertion user service activity runs, but not the Data-Admin-AuthService starting activity.
Resolution
When an IDP-initiated request is used, a RelayState parameter is required. This parameter should contain a pyActivity parameter with a valid activity name and all parameters and values required by that activity to run correctly.
Published March 1, 2018 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.