Transparent SSO (TSSO) fails with 'The login request is no longer valid' error

Version Affected:  26.1.2
 

Description:  
After upgrading to 26.1.2, Transparent SSO (TSSO) Realms can immediately fail authentication and throw the below error:



Selecting 'Please click here to use an alternate verification method' will allow the MFA option to be selected and will continue through to a successful authentication into the TSSO Realm
 

Cause:  
In Identity Platform 26.1.2, Session Validation has been introduced
Session Validation will check for a valid session and then carry out automatic authentication to TSSO Realms or a number of other options based on Policy Settings - https://docs.secureauth.com/2600/en/policy-configuration---authentication-rules.html

If the Session Validation process finds a new MFA prompt is to be presented as part of the TSSO flow, it can sometimes fail if 'Auto-Submit' is enabled within the Policy Settings (any option other than 'None' enables Auto-Submit):



This will only happen with MFA methods requiring action from Identity Platform (PUSH, OTP to SMS, Link to SMS, OTP to Email, Link to Email etc)
MFA methods which do not require action from Identity Platform, such as TOTP, will continue to work as expected.
 

Resolution:  
The fix has been implemented in 26.1.3, allowing all Auto-Submit and MFA options to be used as expected

As a workaround, until an upgrade to 26.1.3 can be carried out, selecting 'None' as the preferred Auto-Submit Method will stop the errors from occurring but will also present the end user with a MFA selection screen if an MFA prompt is required, causing a slightly higher level of 'friction' during the login process for TSSO Realms.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.