SAML Proxy to Azure: odd IdP session timeout behavior

[Cantor, Scott]

On 6/23/21, 3:43 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

> But I'm hoping the particulars should at least be guardable in some way that might allow it to be flagged more
> explicitly in the code until the root cause is figured out.

In this vein, I know where it's happening (not why) and I can probably imagine a fix that masks it, but possibly not a wise fix if it's not clear why it happened. Will take a bug report and more consideration to decide.

What it's doing is definitely routing through the step that bounces outside the flow into the "controller" servlet that encodes the AuthnRequest for transmission to Azure twice. We use the servlet because SAML/OIDC/other SSO protocols that need a fixed return URL can't live with the flow's "constantly changing parameter" that's stuck on the end of the normal URLs. So there's a part of the implementation that lives in a servlet. The handoff to it is happening twice in the same surrounding conversation.

Is there any chance that the round trip to Azure could happen twice in a single IdP request? Like maybe some weird MFA logic that's dispatching to the SAML flow twice in a sequence? That isn't really "not allowed" but I don't know if the code handles it either.

-- Scott