cantor.2 at osu.edu
Mon Nov 2 20:41:37 UTC 2020
On 11/2/20, 3:20 PM, "Steve Herrera" <sherrera at fsmail.bradley.edu> wrote:
> I requested an account with the SP and that just now has been created. It is giving me the same errors. Works fine on
> the initial login, then I logout and paste the exact url into my browser and get the same result of Stale Request.
That sounds like a cookie issue of some kind, which doesn't fit an IdP-initiated request, since those are a GET. If you're doing something wacky and it's a POST from an SP that's issuing "requests" by hardwiring in IdP-intiated URLs, then that could perhaps be a SameSite issue.
JSESSIONID has to be resetting in between the initial request and the advancement of the flow. Tracing will probably reveal it failing to respond with the cookie and resetting JSESSIONID, triggering a flow restoration exception and that's probably what leads to the stale request.
Nothing you described fits any known pattern of behavior I know of, but whatever's happening isn't "just" that. Once it's proven JSESSIONID is floating and not stable, an eventual cause of that might be more evident.
More information about the users