SSO profile handlers don't check for missing session
Basics
Logistics
Basics
Logistics
Description
The SSO profile handlers rely on the IdP Session to populate the request context with the principal name to use for attribute resolution and so forth. If that session lookup comes back null, I think the handlers are issuing "null" identity assertions instead of failing.
Still not sure what "fail" should mean here, but certainly either a local error or a SAML failure status.
Environment
None
Activity
Scott Cantor
February 18, 2013 at 3:15 PM
Changed code to use IdP error handler in r3136.
Passing this onto the SP seems pointless, at least the IdP deployer can check for and handle this cookie problem with some local support information. I was able to confirm that this is what's causing the empty principal behavior.
Scott Cantor
January 23, 2013 at 11:06 PM
Rev 3130, added a check for the session at the tail end, before proceeding to issue a response. For now I'm throwing a profile exception so it returns to the SP with an error. I'm going to deploy this here and see what happens.
The SSO profile handlers rely on the IdP Session to populate the request context with the principal name to use for attribute resolution and so forth. If that session lookup comes back null, I think the handlers are issuing "null" identity assertions instead of failing.
Still not sure what "fail" should mean here, but certainly either a local error or a SAML failure status.