Forum Discussion
NimbostratusSAML and Access Policy Already in Session Not Being Caught
We are having a problem with SAML authentication and users starting a second session before they complete the first. When not using SAML this is caught and the Access Policy is already in Session error message is displayed to the user. But when using SAML we are not seeing the same recognition of the user already having a session.
We are using F5 for both the SP and the IdP so that might be complicating the matter since sessions and the associated cookies are created on both instances. As as workaround I've tried to catch the second request coming back to see if it has an session cookie and then check the state of that cookie to try and recreate the already in session check but I could not ever seem to get it to work but I would much prefer that this be handled by F5 by default.
Has anyone else seen this condition? I want to see if it is a limitation of the SAML implementation on F5 or if I have something mis-configured on my SAML setup that might be causing this to happen. The key parts of the SAML setup work just fine, but cannot seem to get a handle on this one condition.
I've recreated in a number of different versions up to 11.5.1
Thanks for any leads.
2 Replies
kunjanPossibly you can set a session variable in an iRule ACCESSION_STARTED and check this on HTTP_REQUEST before allowing a session. Might need to disable the APM iRule events to do this checking.
Rabbit23_116296Did you ever resolve this?
