I am having an issue with our SAML Enterprise Connection.
In our application, if the user isn’t authenticated to the application, they are directed out to the the Universal Login Page. This works without issue.
Then, say the user enters mytestuser@x.onmicrosoft.com, since @x.onmicrosoft.com is configured in my Enterprise Connection, the user is redirected out to Microsoft Entra to log in.
HOWEVER, if a completely different user is already authenticated in Entra on that machine, Entra is automatically responding with a SAML token for the wrong user.
Has anyone else experienced a similar issue and if so, how do you resolve this?
Hi @jharris
Thank you for reaching out to us!
In the scenario that you mentioned, the IdP ( Entra in this case ) is called to authenticate a user, but as it already has a different user with an active session, it will assume that the same user is trying to authenticate and will use the current session to try and grant the access. As you’ve mentioned, this will not work in the case of multiple users if a session is still active and one use remains authenticated on the machine → they will first need to be logged out on the IdP level to allow for another user to create a session.
I recommend looking over our documentation on how to Log Users Out of SAML Identity Providers using Single Logout ( SLO ), but also the following blog post on Best Practices for Application Session Management.
Hope this helped!
Gerald
@gerald.czifra , wouldn’t the SLO need to be triggered before the user logs into the application? In the scenario I mentioned above, on a shared machine, a user logs into Entra and checks their email. Then a second user opens up the computer and launches our application. They enter their email address but are automatically logged in as the first user because that account was never logged out of Entra. We are using the federated log out as a user logs out of our system and that works just fine, the real issue is occurring before the user ever logs in.