Copy link to clipboard
Copied
Hi,
We have a load balanced environment (netscaler). When a user hits a page the load balancer sends the request to a particular box with sticky sessions by IP which starts the SSO process using InitSAMLAuthRequest. Our IDP https://login.microsoftonline.com/ then posts back but since https://login.microsoftonline.com/ does not have the same as IP as the user, the load balancer sometimes sends the response to a box that did NOT initiate the request and we get an error: Possible replay attack occurred as there is no login/logout information associated with this request.
I can catch the error but there is not much else that I can do because now the load balancer will keep the user on box 1 and https://login.microsoftonline.com/ on box 2 so no way to redirect to another server.
Any ideas?
Thanks,
Gabriel
Copy link to clipboard
Copied
We have a load balanced environment (netscaler). When a user hits a page the load balancer sends the request to a particular box with sticky sessions by IP which starts the SSO process using InitSAMLAuthRequest. Our IDP https://login.microsoftonline.com/ then posts back ...
By @gabrieldavis321
That description confuses me. That is because I expected the load balancer to have the job of authenticating the user.
Copy link to clipboard
Copied
That would not be my expectation, based on the load balancers I've worked with. Although today, who knows! But the load balancers I've worked with are pretty simple HTTP reverse proxies and can't really do anything like SSO authentication. I would be very interested in hearing about load balancers that can do this.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
I know what you mean, @Dave Watts . I did look up Netscaler, hence my answer earlier.
Copy link to clipboard
Copied
Thanks for the information!
Dave Watts, Eidolon LLC