ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SAML2 Request Contains Too Many SERVERSESSIONID Headers


Article ID: 142862


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER


We have 4 machines running SiteMinder Policy Server 12.8.2 and 2 machines running Access Gateway 12.8.2. 


The configuration between the Access Gateway machines is consistent. We see an issue that affects only one of the Access Gateways. In the affwebsrv.log we see this:

[isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers.  Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.


In the FWSTrace.log we see this:

[][getSessionData][session cookie name: SMSESSION]

[][isValidSession][Found SESSION cookie: SMSESSION]

[][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]

[][isSessionIdle][returning true]

[][isValidSession][Session is Idle]


The result is that the client keeps getting redirected to the authentication URL until the browser displays error ERR_TOO_MANY_REDIRECTS.



The SERVERSESSIONID header was missing.  This was due to inconsistent ACO settings (setting 'DisableSessionVars=yes' in any of the ACOs can cause this)


Release : All



Make sure ACO settings in the SSO environment are consistent and result in the SERVERSESSIONID being set when the user attempts to access a federated application.