Windows SSO Portal realm IdP Initiated SAML failures

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth version affected: All

    When using a WindowsSSO portal realm, IdP initiated SAML realms occasionally fail with the following error

    System Error: We are unable to continue at this time. Please close your browser and try again.Error: at System.Threading.Thread.AbortInternal() at System.Threading.Thread.Abort(Object stateInfo) at System.Web.HttpResponse.AbortCurrentThread() at MFC.WebApp.SecureAuth.SAML20IdPInit.Page_Load(Object sender, EventArgs e)


    The portal realm by default sends users straight to the /Authorized/Saml20IdPInit.aspx page. This page requires a valid PostAuth token despite using WindowsSSO as the authentication method. 

    This works fine until you logout of a SAML realm and call our Logout.aspx page. At this point the PostAuth cookie it deleted so if you launch any IdP init SAML app after this, it will fail with the above error until you re-open the portal page to regenerate the cookie. 

    Alternatively, follow the workaround below

    You can workaround this issue by using the SPStartURL option on the post auth page of your IdPInit realm. 

    SPStartURL is typically used for SP init SAML. However, the presence of a SPStartURL means the Portal uses that address instead.  We can use this to hit the WindowsSSO begin site for the IdP Init realm which will recreate the Post Auth cookie for us. 
    1. Open the Web Admin Console.

    2. Navigate to the Post Auth tab of your IdP Initiated Realm.

    3. Set the SPStartURL to the address of the realm itself. Eg, if my realm is realm85, I'd set the SPStartURL to


    4. Hit Save

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

    0 out of 0 found this helpful



    Please sign in to leave a comment.