• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

load balancing breaks SSO

Explorer ,
Dec 14, 2022 Dec 14, 2022

Copy link to clipboard

Copied

Hi,

We have a load balanced environment (netscaler).  When a user hits a page the load balancer sends the request to a particular box with sticky sessions by IP which starts the SSO process using InitSAMLAuthRequest.  Our IDP https://login.microsoftonline.com/  then posts back but since https://login.microsoftonline.com/  does not have the same as IP as the user, the load balancer sometimes sends the response to a box that did NOT initiate the request and we get an error: Possible replay attack occurred as there is no login/logout information associated with this request.

I can catch the error but there is not much else that I can do because now the load balancer will keep the user on box 1 and https://login.microsoftonline.com/ on box 2 so no way to redirect to another server.

 

Any ideas?

Thanks,

Gabriel

 

Views

281

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2022 Dec 18, 2022

Copy link to clipboard

Copied

quote

We have a load balanced environment (netscaler).  When a user hits a page the load balancer sends the request to a particular box with sticky sessions by IP which starts the SSO process using InitSAMLAuthRequest.  Our IDP https://login.microsoftonline.com/  then posts back ...

 


By @gabrieldavis321

 

That description confuses me. That is because I expected the load balancer to have the job of authenticating the user.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2022 Dec 18, 2022

Copy link to clipboard

Copied

That would not be my expectation, based on the load balancers I've worked with. Although today, who knows! But the load balancers I've worked with are pretty simple HTTP reverse proxies and can't really do anything like SSO authentication. I would be very interested in hearing about load balancers that can do this.

 

Dave Watts, Eidolon LLC 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 19, 2022 Dec 19, 2022

Copy link to clipboard

Copied

I know what you mean, @Dave Watts . I did look up Netscaler, hence my answer earlier.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 19, 2022 Dec 19, 2022

Copy link to clipboard

Copied

LATEST

Thanks for the information!

 

Dave Watts, Eidolon LLC 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation