WSS setup with SAML authentication
Problem occurs independent of IP or Cookie based surrogate configuration
Microsoft ADFS server acting as SAML Identity Provider
When users access a Web site via WSS, the host is redirected to the IDP server via WSS where the authentication completes and SSO to WSS is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the WSS SAML SP, the user gets the following error message rendered on the browser:
WSS mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.
The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.
Any Browser type
Any WSS access method that uses SAML
Make sure that all users access WSS via the SP initiated URL i.e. by simply accessing WSS and allowing WSS redirect to the SAML IDP server.