Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1, 6.0.0, 6.5.0, 7.0.0
-
Component/s: SAML
-
Target Version/s:
-
Rank:1|hzz9nz:
-
Epic Link:
-
Needs backport:Yes
-
Verified Version/s:
Description
Bug description
When SAML performs a crosstalk for an SSO or an SLO request, it attempts to replay the Accept-Language header, however the code does not seem to handle the case when the header is missing from the request. This results in failed crosstalk request, and can potentially result in the infamous IDP session is NULL error message.
How to reproduce the issue
- Set up 2 hosted IdPs in a site, and 2 separate SPs
- perform SP initiated SSO with the first SP
- perform SP initiated SSO with the second SP, but make sure that the request will hit a different IdP instance than the previous step did. (use amlbcookie based LB routing, and change the amlbcookie value in the browser for the LB's domain)
Expected behaviour
Authentication should succeed, because AM performs a crosstalk request to the first request.
Current behaviour
SAML SSO fails with IDP session is NULL error message.
Work around
Enable SAML2 failover.