We have several federated access SP's using SAML20 that work well,
however there's one use case that's causing issues we'd like to sort.

When a browser session is open and federated access has been established
with 1 SP, if another tab is opened and a separate SP federated session
is attempted an error will occur saying a specific attribute cannot be
Null. If the browser is closed and opened again the session will launch
no problem.

We think this is happening due to each SP config having its own
Attribute Set, and once a session has been established if we try to
launch a separate one and the attribute is not available then it errors,
as it appears that the LDAP store is not being queried if there is
already an attribute set being used for an existing session.

So I'd like to know if there is a best practice approach to this
scenario. I've looked at implementing a Roles/Brokering model allowing
multiple SP's per role in the hope that this will result in multiple
attribute sets being available but this has had no effect. Also we are
not using AG's so any design around auth policies wont work, although if
this is the only option I'd be happy to put it forward. An option is to
create a superset of attributes and call that, however in the case that
the remote att's are different for different SP's this would fail.

Any advice appreciated.


ddnicholls's Profile: https://forums.netiq.com/member.php?userid=5644
View this thread: https://forums.netiq.com/showthread.php?t=55089