When receiving a sporadic error, the reason:

  NO_SAML_REQUEST_OR_SPID (, , ),

in a Service Provider (SP) initiated federation after the user is authenticated at the Identity Provider (IDP), the error occurs upon the user returning to the saml2sso URL.

The failed URL can be seen as <domain name>/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY

It sounds like on some occasions, the authentication context is lost (1).

In the environment

1. Session Store is enabled on all Policy Servers;
2. HTTP POST is used to receive SAML Authentication Request from Service Provider (SP);
3. "Secure URL" is used in Identity Provider (IdP) partnerships;

The sporadic error is causing failure in the login process to stop users from successfully logging into Service Provider (SP) application.

Since the SAMLRequest (authnrequest) is received via POST binding, the post data needs to be held in the Policy Server's Session Store while the user is authenticated.

In this instance, the Policy Server was unable to retrieve the SAMLRequest data from the session store after the user authenticated.

This was because the user took longer than 3 minutes to authenticate.

The federation GUID cookie associated with this use case has a default timeout of 3 minutes, after which the browser will no longer present this cookie.

Without the cookie, the SAMLRequest data cannot be retrieved from the Session Store.

By default the timeout value of the federation GUID cookie is 180 seconds, but this can be adjusted as high as 9999 seconds in the SSO section of the SSO and SLO page of the Partnership.

(1)

    Error : NO_SAML_REQUEST_OR_SPID in SAML SP Initiated POST request