0

The multi tenant SAML application I'm working on uses spring-security-saml and contains two service providers and one IDP (Active Directory Federation Services). The developer who worked SSO into this application chose to make it multi tenant because it is a dual-purpose application with two different interfaces - essentially two applications in one. It is designed to be used in a browser with two tabs open, so one interface runs in the first tab and the other interface runs in the second tab. Everything seems to be working properly with the exception of one particular workflow:

  1. Open a browser, navigate to the ADFS sign in page, and sign in to the application with the first service provider
  2. Open another tab, navigate to the ADFS sign in page, and choose the second service provider
  3. Perform a Global Logout

The log file contains errors like this:

Message a598hd6ff68479a44c3495f7h4216aa not found in session 11cfm6ja982te14dxxul71iufg Received logout response is invalid InResponseToField in LogoutResponse doesn't correspond to sent message a598hd6ff68479a44c3495f7h4216aa

I suspect that this is related to the fact that the same JSESSIONID cookie is being shared between tabs, so when one SP logs out it terminates the associated session. Then when the other SP tries to log out with the same session it fails because the session is gone. Can someone please help me solve this problem?

Brian Crosen
  • 33
  • 7

1 Answers1

1

I was finally able to make this work correctly by setting invalidateHttpSession to false in the SecurityContextLogoutHandler bean. Now, when the first service provider logs out, the authentication still gets cleared, but the session remains alive. Then when the second service provider logs out, it finds the session and logs out successfully. This should be okay, as Jetty by default will timeout the session after 30 minutes of inactivity. Here is the bean I changed:

// Logout handler terminating local session @Bean public SecurityContextLogoutHandler logoutHandler() { SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler(); logoutHandler.setInvalidateHttpSession(false); logoutHandler.setClearAuthentication(true); return logoutHandler; }

Brian Crosen
  • 33
  • 7