Bug #34

SSO pipeline doesn't reset the session when a new AuthnRequest comes in

Added by S M 3034 days ago.

Status:New Start:07/29/2009
Priority:Normal Due date:
Assigned to:S M % Done:

0%

Category:ESOE Core Spent time: -
Target version:0.9.6

Description

1. hit site A, sent with AuthnRequest to ESOE
2. don't authenticate
3. hit site B, sent with AuthnRequest to ESOE
4. authenticate
5. ESOE sends you back to site A with an assertion

The problem is that the session is still at the "session validate" step of SSO processing, and isn't reset because the SSO stuff is binding agnostic and doesn't have know/care about the format of the inbound request - so instead of detecting the new sso event, it just tries to continue from where it was.

Also available in: Atom PDF