Windows SSO Portal realm IdP Initiated SAML failures

Follow

SecureAuth version affected: All
Description:

When using a WindowsSSO portal realm, IdP initiated SAML realms occasionally fail with the following error

System Error: We are unable to continue at this time. Please close your browser and try again.Error: at System.Threading.Thread.AbortInternal() at System.Threading.Thread.Abort(Object stateInfo) at System.Web.HttpResponse.AbortCurrentThread() at MFC.WebApp.SecureAuth.SAML20IdPInit.Page_Load(Object sender, EventArgs e)

Cause:

The portal realm by default sends users straight to the /Authorized/Saml20IdPInit.aspx page. This page requires a valid PostAuth token despite using WindowsSSO as the authentication method. 

This works fine until you logout of a SAML realm and call our Logout.aspx page. At this point the PostAuth cookie it deleted so if you launch any IdP init SAML app after this, it will fail with the above error until you re-open the portal page to regenerate the cookie. 

Alternatively, follow the workaround below

Resolution:
You can workaround this issue by using the SPStartURL option on the post auth page of your IdPInit realm. 

SPStartURL is typically used for SP init SAML. However, the presence of a SPStartURL means the Portal uses that address instead.  We can use this to hit the WindowsSSO begin site for the IdP Init realm which will recreate the Post Auth cookie for us. 
Eg.
1. Open the Web Admin Console.

2. Navigate to the Post Auth tab of your IdP Initiated Realm.

3. Set the SPStartURL to the address of the realm itself. Eg, if my realm is realm85, I'd set the SPStartURL to

https://awood05vm.sasp.local/secureauth85



4. Hit Save

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.