Description
For every HTTP request, MultiSamlStrategy creates a brand new SAML object. This in turn creates a new InMemoryCacheProvider.
Meaning by default, the InResponseTo setting will always cause the middleware to fail with "InResponseTo is not valid". Cache keys will never persist beyond the life time of a single HTTP request unless a custom cacheProvider is supplied.
I don't think the usage of two officially supported parts of the library should silently break. There are a 2 ways to fix this (that I see):
- Add an error if a custom
cacheProviderisn't supplied by the user when using theMultiSamlStrategy.Forcing users to reconfigure this library with an external cache store would workaround this issue. - Have
MultiSamlStrategyhold onto its ownInMemoryCacheProviderobjects by default that it passes to newSAMLinstances. To do this securely, it would need to persist caches for each identity provider.
I lean towards 2, but unfortunately the current API design doesn't require each identity provider to be uniquely keyed. The endpoint SAML option gets close, but that can change with binding methods.
Edit: To be clear, I'm just hoping to open a discussion on how to best resolve this. I'm not demanding it to be fixed or trying to force a solution. I may be able to submit a pull request once we agree on something.