Imagine the following scenario:
- user submits SAML AuthnRequest to server1, iPDP cookie is empty, but the AMAuthCookie has a value (i.e. has an authentication session, for example because opening the login screen previously)
- the AMAuthCookie points to server2, hence the LoginServlet forwards the request to server1. The authentication occurs, but after the authentication server1 tries to resolve the SAML Request, but that was sent to server2 initially, so it results in the Unable to get AuthnRequest error.
A similar approach to
OPENAM-1858 needs to be considered, i.e. the AMAuthCookie from the request parameter should have precedence over the cookie value, that way preventing unwanted request proxy.