When SAML performs a crosstalk for an SSO or an SLO request, it attempts to replay the Accept-Language header, however the code does not seem to handle the case when the header is missing from the request. This results in failed crosstalk request, and can potentially result in the infamous IDP session is NULL error message.
- Set up 2 hosted IdPs in a site, and 2 separate SPs
- perform SP initiated SSO with the first SP
- perform SP initiated SSO with the second SP, but make sure that the request will hit a different IdP instance than the previous step did. (use amlbcookie based LB routing, and change the amlbcookie value in the browser for the LB's domain)
Authentication should succeed, because AM performs a crosstalk request to the first request.
SAML SSO fails with IDP session is NULL error message.
Enable SAML2 failover.