Question about Unsolicited SSO and "idp.session.enabled = false"

Peter Smith Peter.Smith at
Tue Mar 6 11:22:10 EST 2018

Is it possible to have an IDP set to disable the IdP session layer but yet have (only) Unsolicited SSO respect previous established sessions?

We've disabled the IdP session layer for security reasons and have an application which creates Unsolicited SSO URLs--opening each URL in a browser (or application) requires a new session / login regardless of any previous session / login or access.  Is there any way around this?

It may be that the only way around this is to force the application vendor SP to support handling the sessions and abandon Unsolicited SSO (apparently something they don't support currently.)



UT Southwestern

Medical Center

The future of medicine, today.

More information about the users mailing list