|
|
|
Symptom:
A user attempts two single sign-on transactions in the same browser session. The transactions are from the same asserting party to different relying parties. The first transaction is successful but the second transaction results in an authorization failure at the asserting party. The failure occurs because the two partnerships are configured to use different asserting party user directories.
When Federation Manager initiates a single sign-on transaction at the asserting party, it places a session cookie in the browser. This session cookie contains information about the user ID and the asserting party user directory. Only one Federation Manager session cookie can exist in the browser at a time.
When a user attempts a second transaction in the same browser session as the first transaction, the session cookie for the first transaction remains in the browser. However, this session cookie does not have the correct information for the second partnership and the authorization operation fails.
Solution:
Use the same browser session for different single sign-on transactions only if the asserting party user directory for each partnership is the same.
If different asserting party user directories are configured for each partnership, close the first browser session and start a new browser session to attempt the second transaction.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |