We discovered a very narrow bug that affects IdP initiated SSO log in scenarios for clients relying on third party IdPs (e.g. One-Login). 2016.3 Patch 2 is a minor patch that addresses this issue. The changes do not impact data integrity or security, and have no material impact on User or Functional Requirements. The changes only affect the SSO micro-service as it relates to this specific scenario, and thus have no direct impact on the main application. As such, there should be no disruption to any user sessions or activity. The patch will be released after all documents are executed.
This change is being managed under change control, a copy of which will be included in the Auditor Share when completed.
ZENQ-2519: SSO: IdP-initiated login failing during email domain/entity ID verification
Identity provider initiated login is failing when performing the check to verify that the entity ID/IdP specified in the SAML response is authorized to authenticate accounts from the user's email domain.
An IEnumerable data type was used for storing a list of identity providers associated with the entity ID in the SAML response. This causes problems when attempting to enumerate through the list more than once since items already enumerated will be skipped. The email domain/entity ID verification is failing because of this limitation.