Last updated on MARCH 08, 2017
Applies to:Oracle Identity Federation - Version 22.214.171.124 and later
Information in this document applies to any platform.
Oracle Identity Federation (OIF) 11.1.1.x as Identity Provider (IdP) has been configured with Oracle Access Manager (OAM) as authentication engine.
IdP-initiated SSO is generally working fine but an error occurs for a specific case when the OIF/OAM user session expires.
For the shared computer case where a previous OAM/OIF session has expired, IdP-initiated SSO as a new user from the same browser session fails with HTTP-500 Internal Server Error.
The OIF log shows error "User from existing session (UserA) is different from user locally authenticated (UserB)". For example:
OAM, WebGate and OIF are configured with the same session timeout settings, and all servers in the architecture have been checked for correct time, date and timezone settings.
OIF is configured with memory Session / Message Data Store.
Steps to reproduce
1. UserA opens a browser session on a shared computer.
2. UserA accesses a locally protected OAM application and logs in as UserA: the OAM-protected application page is displayed.
3. UserA clicks an IdP-initiated SSO link in the application: UserA is seamlessly authenticated to the Service Provider and the Service Provider page is displayed.
4. UserA finishes working on the shared computer and leaves the browser session open, does not click the logout link.
5. UserB comes to the shared computer and accesses the OAM protected application in the open browser session.
6. The OAM/OIF session has expired, so OAM prompts UserB for login.
7. UserB logs into OAM as UserB: : the OAM-protected application page is displayed.
8. UserB clicks an IdP-initiated SSO link in the application: HTTP-500 Internal Server Error occurs.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms